Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.

Slides:



Advertisements
Similar presentations
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Advertisements

1 Health Insurance Portability and Accountability Act of 1996 IS&C Expo October 16 & 17, 2002 John Wagner Governor’s Office of Technology.
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Bringing HIPAA to Hospital Systems HIPAA impact on hospital systems viaMD solution for HIPAA compliance W e b e n a b l i n g Pa t i e n t A d m i t t.
Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Are you ready for HIPPO??? Welcome to HIPAA
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
Coping with Electronic Records Setting Standards for Private Sector E-records Retention.
Information Security Policies and Standards
Computer Security: Principles and Practice
Stephen S. Yau CSE , Fall Security Strategies.
Steps to Compliance: Risk Assessment PRESENTED BY.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
HCCA HIPAA Readiness Survey Results Jody Noon Principal Deloitte & Touche Portland, OR November, 2002 John Steiner Esq. Chief Compliance Officer Cleveland.
HIPAA COMPLIANCE WITH DELL
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.
2012 Audits of Covered Entity Compliance with HIPAA Privacy, Security and Breach Notification Rules Initial Analysis February 2013.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.
Eliza de Guzman HTM 520 Health Information Exchange.
September 12, 2004 Simplifying the Administration of HIPAA Security Angel Hoffman, RN, MSN Director, Corporate Compliance University of Pittsburgh Medical.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Design of Health Technologies lecture 22 John Canny 11/28/05.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Seventh National HIPAA Summit HIPAA Compliance Case Study: HIPAA and Academic Medicine - Lessons Learned Past, Present and Future.
Working with HIT Systems
HIPAA Health Insurance Portability and Accountability Act of 1996.
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
Is HIPAA Ready for the EHR? Practical and Legal Considerations of the Interoperable Electronic Health Record Barry S. Herrin, CHE, Esq. Smith Moore LLP.
The IT Vendor: HIPAA Security Savior for Smaller Health Plans?
ORGANIZING IT SERVICES AND PERSONNEL (PART 1) Lecture 7.
1 Privacy Plan of Action © HIPAA Pros 2002 All rights reserved.
In Depth Security Review Martin Rogers Computer Horizons Corp. © Copyright eB Networks All rights reserved. No part of this presentation may be reproduced,
Confidential 1 HIPAA Compliance at Blue Cross Blue Shield of Minnesota: A Case Study Tim Wittenburg Director of Corporate Architecture & Data Management.
Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills.
HIPAA Security Final Rule Overview
State of Georgia Release Management Training
Working with HIT Systems Unit 7a Protecting Privacy, Security, and Confidentiality in HIT Systems This material was developed by Johns Hopkins University,
Case Study: Applying Authentication Technologies as Part of a HIPAA Compliance Strategy.
HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.
Functioning as a Business Associate Under HIPAA William F. Tulloch Director, PCBA March 9, 2004.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,
Safety Management Systems Session Four Safety Promotion APTA Webinar June 9, 2016.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
The Health Insurance Portability and Accountability Act 
Audit Trail LIS 4776 Advanced Health Informatics Week 14
Paul T. Smith Davis Wright Tremaine LLP
Final HIPAA Security Rule
Countdown to Compliance
County HIPAA Review All Rights Reserved 2002.
HIPAA Privacy and Security Summit 2018 HIPAA Privacy Rule: Compliance Plans, Training, Internal Audits and Patient Rights Widener University Delaware.
EDUCAUSE Security Professionals Conference 2018 Jason Pufahl, CISO
HIPAA Security Standards Final Rule
Making Your IRBs and Clinical Investigators HIPAA-Ready
THE 13TH NATIONAL HIPAA SUMMIT HEALTH INFORMATION PRIVACY & SECURITY IN SHARED HEALTH RECORD SYSTEMS SEPTEMBER 26, 2006 Paul T. Smith, Esq. Partner,
Introduction to the PACS Security
Presentation transcript:

Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA Summit Baltimore, Maryland October

2 Living with HIPAA Implementation priorities Assuring money and effort is well spent The three legs of Administrative Simplification Where to begin? Identifying “chunks” What is “reasonable?” Who will do the work?

3 Experiential Based Rural Hospital Experiences – Best Practices Community Hospitals: Security Needs Large Health Systems:compliance tracking tools How to establish priorities Determining “Chunks”

4 LESSONS LEARNED #1 EDI Remains a Major Concern Vendor Readiness Facility Readiness

5 RECOMMENDATION #1 EDI Task force working with vendors and health plans to identify data elements and prepare for testing by April 14, 2003

6 LESSONS LEARNED #2 Most of HIPAA Compliance comes down to Behavioral Changes Staff….Physicians….volunteers…etc

7 RECOMMENDATION #2 Staff Training Ongoing Focused

8 LESSONS LEARNED #3 Future Compliance demands solid Policies Procedures Training

9 RECOMMENDATION #3 Establish a “HIPAA Coordinators” Group to Encourage Exchange of Information

10 LESSONS LEARNED #4 Need to consider “Contingency Plans”

11 #4 Get Moving Get Serious Get Done RECOMMENDATION

12 Protecting PHI The end goal: find it, follow it and protect it All the activities basically follow the PHI More than electronic, paper and oral What is it and who controls it? Surprise: not you It’s everything for all intents and purposes!

13

14 Common Security Compliance Findings

15 Applicable to Community Hospitals and all Other HIPAA entities (that’s the lesson learned!)

16 The Proposed HIPAA Security Standards: Subject Areas Administrative Procedures [45 CFR § (a)] Physical Safeguards [45 CFR § (b)] Technical Security Services [45 CFR § (c)] Technical Security Mechanisms [45 CFR § (d)]

17 Administrative Procedures Certification Process and Program Development [45 CFR § (a)(1)] Internal or external Contingency Program Development [45 CFR § (a)(3)] Must include: Applications and Data Criticality Analysis Data Backup Plan Disaster Recovery Plan for the Entire Enterprise Emergency Mode of Operation Testing and Revision Procedures

18 Administrative Procedures (continued) Records Processing Policies and Procedures Development [45 CFR § (a)(4)] Receipt, manipulation, storage, dissemination, transmission, disposal of PHI Information Access Control Policies and Procedures [45 CFR § (a)(5)] Access Authorization (overall access procedures) Access Establishment (Initial right of access) Access Modification (job change or termination)

19 Administrative Procedures (continued) Security Configuration Management Policies [45 CFR § (a)(8)] Hardware and software installation and maintenance review and testing Hardware and software inventory Security Testing (host and network component penetration testing) Protocols and Services

20 Administrative Procedures (continued) Training Program Development [45 CFR § (a)(12)] Security Awareness Training for ALL Personnel Periodic Reminders Virus Protection Education Log in Access Education Password Management Education

21 Physical Safeguards Assigned Security Responsibility [45 CFR § (b)(1)] (must understand all aspects of information security)

22 Technical Security Systems Access Control [45 CFR § (c)(1)(i)] Implementation Features - at least one of the following: Context-based Role-based User-based Audit controls [45 CFR (c)(1)(ii)] Mechanisms to record and examine system activity

23 Technical Security Mechanisms Network Controls [45 CFR § (d)(2)] Alarm (IDS)

24 “The computer expert is here, Mr. Rumson.”

25 Do Not Delay

26 LARGE IDS Multiple Acute Care Hospitals Long-term Care Facilities Health Plan Clinics Dental Clinics Faculty Practice Plans

27 HIPAA Implementation Situation Organize HIPAA implementation for a large, urban single entity healthcare system with 130 facilities ranging from large acute care to small clinics. Track and monitor implementation progress throughout a diverse, distributed entity.

28 HIPAA Implementation Tasks Create an implementation plan for 7,500 HIPAA recommendations and findings. Organize and coordinate central and local implementation teams. Manage and track compliance implementation as findings are addressed in an auditable manner.

29 HIPAA Implementation Plan Perform Analysis Design Implementation Projects Formulate Organization Structure & Operating Processes Formulate Organizational Roles and Responsibilities Create and Deploy Implementation Tools

30 Analysis Recommendations and findings were extracted from reports and categorized with 25 unique identifiers that include regulation paragraph number and section, implementation workgroup, and action required for implementation.

31 Projects Projects were formulated based on type of action required on recommendations and findings. Projects were prioritized based on the regulatory risk profile of the entity.

32 Organization Structure was designed to include executive management, privacy officer, compliance directors, implementation workgroups and consultant subject matter experts. Process for organizational behavior was pre- defined to ease information and workflow during implementation. Roles & responsibilities were defined within process to assist team behavior and function.

33 Tools Compliance tracking database was design and developed to house recommendations, work groups and projects. Tool enables users to monitor their area of responsibility for HIPAA implementation. Tool provides compliance audit trail for regulatory enforcement inquiries.

34 Compliance Tracking Tool Features: My Dashboard, for executive level compliance tracking My Recommendations, for manager level tracking of activity by recommendation and finding Projects, for project creation, maintenance and tracking Recommendations, for user designed query searches of recommendation database, and recommendation management.

35 Compliance Tracking Tool

36 Compliance Tracking Tool

37 Compliance Tracking Tool

38 Compliance Tracking Tool

39 Compliance Tracking Tool

40 Compliance Tracking Tool

41 Compliance Tracking Tool

42 Summary Use of an implementation partner has distinct advantages to the organization: Available implementation tools. Proven HIPAA implementation management methods and techniques. Regulatory subject matter expertise built through training and experience.

43 Where to start? Assuming a work plan exists from the initial baseline assessment, it is clear that providers must first address “HIGH” risk areas “Typical” high risk areas include: Vendor readiness Health Plan directives Lack of Compliance Plan components (required) Training, training and more training Business Associates Physical Security Records management

44 Setting Priorities Infrastructure issues Firewalls Protecting the network Access controls Patient rights HIPAA is a patient-centric set of regulations and the patient rights (Notice of Privacy Practices, handling disclosures) documentation of decisions is a critical step

45 Manageable “Chunks” Working in the above priorities, define chunks of tasks that can be delegated to the work groups all designed to address the high priority areas Security in the systems: effected by decisions already made to address the EDI concerns EDI task forces: focus is on meeting testing parameters and assuring the system (whether computerized or manual) allows all components of your HIPAA Covered Entity to capture the required data elements Privacy projects: awareness training, formation of compliance office, documents, management of patient rights and Business Associates

46 “And now, let’s determine if we are a covered entity, affiliated single covered entity, hybrid covered entity or organized health care arrangement.”

47 Covered Entity Decisions Single entity Affiliated Single entity Hybrid entity Organized health care arrangement Considerations Pros/Cons documentation

48 Improving Cash Flow EDI standards require uniform codes for all payers Uniformity = Cost Savings This is the bottom line!

49 Question & Answer

50 Contacts Janet Himmelreich John Whitman Martin Rogers Melissa Campbell

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.