Presentation is loading. Please wait.

Presentation is loading. Please wait.

WSOPP HIPAA Compliance

Published byGrant King Modified over 7 years ago

Similar presentations

Presentation on theme: "WSOPP HIPAA Compliance"— Presentation transcript:

1 WSOPP HIPAA Compliance
April 08, 2011 Health Insurance Portability and Accountability Act of 1996 (HIPAA) Health Information Technology for Economic and Clinical Health Act (HITECH) of the American Recovery and Reinvestment Act of 2009 (ARRA)

2 Review of HIPAA HIPAA Security Electronic Standard Transactions
Privacy Uses and Disclosures Rights provided to Individuals Security Ensuring the confidentiality, integrity, and availability of e-PHI Implementing the appropriate safeguards to secure data Administrative, Physical, Technical Electronic Standard Transactions Claims, Remits, Eligibility Requests/Response, etc. ICD-10 – Coming October 1, 2013 Unique Identifiers TIN, NPI Still to come identifiers for individuals and health plans

3 Privacy 164.500 Applicability. 164.501 Definitions.
Uses and disclosures of protected health information: general rules. Uses and disclosures: organizational requirements. Consent for uses or disclosures to carry out treatment, payment, and health care operations Uses and disclosures for which an authorization is required. Uses and disclosures requiring an opportunity for the individual to agree or to object. Uses and disclosures for which consent, an authorization, or opportunity to agree or object is not required.

4 Privacy, Continued Other requirements relating to uses and disclosures of protected health information. Notice of privacy practices for protected health information. Rights to request privacy protection for protected health information. Access of individuals to protected health information. Amendment of protected health information. Accounting of disclosures of protected health information. Administrative requirements. Transition requirements. Compliance dates for initial implementation of the privacy standards.

5 Completed all assessments and compliance documentation
Group Check Understand what is generally expected by the Privacy and Security Rules Completed all assessments and compliance documentation Controls have been tested, staff has been trained – compliance is in maintenance mode

6 Privacy Uses of PHI (protected health information)
Creates PHI in paper and electronically Purpose: To create medical documentation that supports the medical necessity of the services provided Purpose: To collect demographic and financial information for the purpose of billing insurance Purpose: To improve our internal business practices, and train staff members Modifies PHI during the course of assessment Purpose: To note changes or additional information Transmission of e-PHI Purpose: Submission of electronic claims Stores PHI and e-PHI Purpose: For maintaining appropriate records (6 years – HIPAA, 7 years state)

7 Privacy Disclosures of PHI
Disclosures to patients upon written request Disclosures to providers for the purpose of continued or collaborative treatment planning Disclosures to insurance companies for the purpose of claims adjudication, response to an appeal, denial or rejection Disclosures to law firms, workman’s compensation firms etc. (must be accompanied by an authorization for the release of Protected Health Information Disclosures to OCI for the purpose of settling insurance disputes that cannot be resolved by the payer Disclosures to personal representatives for the purpose of assisting the patient with their treatment, claims or payment Uses and Disclosures: Confidentiality Policy and Agreement

8 Responsibilities Business Associate Agreements (written satisfactory assurances) must be in place to ensure appropriate safeguards will be met when handling PHI Who needs one? All subcontractors/agents, partners or other companies that perform covered functions or activities for or on your behalf

9 Covered Entity Responsibilities
Ensure all business associates have engaged in a Business Associate Agreement for the activities/ services they may be performing for or on your behalf Implement a breach notification policy with each Business Associate to ensure all breaches, incidents and occurrences are reported to you as the covered entity Report as necessary the breaches that occur Mitigate harm to individuals as necessary in response to the breach that may have occurred

10 Changes to the Requirements for Business Associates
American Recovery and Reinvestment Act of 2009 requires all Business Associates to obtain or execute a Business Associate agreement in accordance with the standards Old requirement – Covered entity must obtain the written assurances (Business Associate Agreement) New requirement – Business Associate is just as responsible for the execution of these agreements

11 Group Check Business Associates have been identified
Identified when you are the Business Associate to others New expectations for the Business Associate have been discussed with your vendors All agreements have been updated with new requirements and executed All agreements have been updated with the new requirements and executed Open discussions regarding compliance requirements Breach Notification process has been reviewed

12 Breach Notification Rules
The Interim Final Rule for Breach Notification for Unsecured Protected Health Information was released August 24, 2009 Requirements are substantial for covered entities as well as business associates when a breach has occurred Not all incidents are a breach – be sure to always indicate we are addressing an occurrence or an incident versus using the word “breach”

13 ARRA Defines “Breach” Breach means the unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy* of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information *poses a significant risk of financial, reputational, or other harm to the individual

14 ARRA Defines “Breach” Breach exceptions:
The term “breach” does not include- Any unintentional acquisition, access, or use of PHI by an employee or individual acting under the authority of a covered entity or business associate if – Such acquisition, access, or use was made in good faith and within the course and scope of the employment or other professional relationship of such employee or individual, respectively, with the covered entity or business associate; and Such information is not further acquired, accessed, used, or disclosed by any person; or Any inadvertent disclosure from an individual who is otherwise authorized to access PHI at the facility operated by a covered entity or business associate to another similarly situated individual at same facility; and Any such information received as a result of such disclosure is not further acquired, accessed, used, or disclosed without authorization by any person.

15 Examples of Breach – HIPAA COW Privacy and Security Networking Group – Breach Notification Policy © Copyright 2009 HIPAA COW EOB (Explanation of Benefits) sent to the wrong guarantor Misfiled patient information in another patient’s medical records which is brought to the organization’s attention by the patient Medical record copies in response to a payers request lost in mailing process and never received Misdirected fax of patient records Briefcase containing PHI was stolen from a car PDA with patient-identifying wound photos lost Medical record documents left in public access cafeteria

16 Breach Reports From the Office of Civil Rights
Since 2009 there has been 3,312,495 individuals affected by a breach incident that was reported as a result of breaches that affected over 500 individuals Most of the reports were e-PHI contained in lost or stolen unencrypted media or portable device. Stolen laptops was one of the leading reasons for a breach to have occurred. Hundreds of smaller breaches have occurred, most were related to paper records sent to wrong fax numbers, wrong addresses, and wrong individuals.

17 Breach Notification While HIPAA did not require notification when patient PHI was inappropriately disclosed, covered entities may have chosen to include notification as part of the mitigation process. HITECH/ARRA does require notification of certain breaches of unsecured PHI to the following: Individuals; Department of Health and Human Services (HHS); and Media Interim final rule was published August 2009 – we are expecting the final rule this March 2011.

18 Notification Requirements
When Individual Notification is Required: Notification to the individuals affected by a breach of unsecured PHI – when PHI has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of such breach. Breach is treated as discovered the first day the breach is known to the covered entity Covered entity shall send the required notification without unreasonable delay and in no case later than 60 calendar days after the date the breach was discovered by the covered entity. Content of the notification Urgent situations – Notification by telephone and in writing

19 Notification Recommendations
Describe the event and include the following information: A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known. A description of the types of unsecured PHI that were involved in the breach (full name, SS#, date of birth, home address, account number, diagnosis, disability code or other types of information involved) Any steps the individual should take to protect themselves from potential harm resulting from the breach. A brief description of what the organization is doing to investigate the breach, to mitigate harm to individuals, and to protect against further breaches. Contact procedures for individuals to ask questions or learn additional information, which includes a toll-free number, an address, web site, or postal address

20 Notification to the Media
Notice should be provided to prominent media outlets serving a State or jurisdiction, following the discovery of a breach if the unsecured PHI of more than 500 residents of such State or jurisdiction is, or is reasonably believed to have been, accessed, acquired, or disclosed during such breach. Supplement to the individual notice Notice required no later than 60 calendar days after discovery of the breach

21 Notification to the Secretary
Notification to the Secretary of breaches of unsecured PHI for breaches involving 500 or more individuals immediately upon discovery; Must be no later than 60 days from date of discovery For breaches where less than 500 individuals were affected - Maintain a log of such breaches and annually submit such log to the Secretary documenting the breaches occurring during the year involved. Secretary will post on the HHS Website a list of covered entities that submit reports of breaches of unsecured PHI involving more than 500 individuals

22 Application of Provisions and Penalties to Covered Entities
HIPAA holds the covered entity responsible for the activities of their business associates – Business Associates were not subject to the fines and penalties by OCR; HITECH/ARRA holds the Business Associate just as responsible and applies the penalties to the BA as they would be applied to a covered entity Penalties do not apply if the organization did not know (or by exercising reasonable diligence would not have known) of the violation or if the failure to comply was due to a reasonable cause and was corrected within thirty days.

23 Penalties Based on the organization’s responsibility for the HIPAA violation Penalties will be based on the determination on the nature and extent of both the violation and the harm caused by the violation Secretary holds the discretion to impose corrective action without a penalty in cases where the person did not know (and by exercising reasonable diligence would not have known) that such person committed a violation The maximum penalty is $50,000 p/violation, with a cap of $1,500,000 for all violations of an identical requirement or prohibition during a calendar year

24 Civil Monetary Penalties
$100 for each violation, total for all violations of identical requirement cannot exceed $25,000 per calendar year Tier A – Offender did not know $1,000 for each violation, total for all violations of identical requirement cannot exceed $100,000 per calendar year Tier B – Violation due to reasonable cause, not willful neglect $10,000 for each violation, total for all violations of identical requirement cannot exceed $250,000 per calendar year Tier C – Violation due to willful neglect, but was corrected $50,000 for each violation, total for all violations of identical requirement cannot exceed $1,500,000 per calendar year. Tier D – Violation due to willful neglect, but was NOT corrected

25 Willful Neglect – Not Defined Under HITECH/ARRA
Here are some indicators: All you have are legal documents for patients and/or business associates to sign without the underlying processes to support said documents. You have legal documents but they do not meet the specific requirements contained in the regulations. You have no demonstrable evidence that you are training your staff as required by the regulations. When was the last time that the receptionist received training? You have no plan to show how you are working on full compliance, despite the fact that you are not in full compliance at the moment. Your have a EHR system running on a local server and the server room is not secured. Your employees have their passwords on "sticky notes" that are readily visible.  You have not implemented (and have no idea regarding) HHS' guidance for securing protected health information (PHI). You have no plan for notifying your patients (and potentially the media) when your unsecured PHI has been breached. -

26 Group Check Breach Reporting and Response Processes are in place
Business Associates have reported a breach to your organization Submitted necessary Breach Notification Reports to OCR Appropriate breach reporting tools are being used to track breaches that occur Understood the requirements for handling the breach incident and determining vendor responsibility Completed the on-line reporting tool Reported to individual, covered entity or HHS

27 Defining Unsecured PHI
Means PHI that is not secured through the use of a technology or methodology specified by the Guidance Specifying the Technologies and Methodologies that render PHI Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements Under HITECH/ARRA; Request for information.

28 Data Comprising PHI Data States
Data in Motion – data that is moving through a network, including wireless transmission; Data at Rest – data that resides in databases, file systems, and other structured storage methods; Date in Use – data in the process of being created, retrieved, updated, or deleted; or Date Disposed – discarded paper records or recycled electronic media

29 Two Methods Identified Under Guidance
First Method Encryption is one method of rendering e-PHI unusable, unreadable, or indecipherable to unauthorized persons Strength of the encryption algorithm and the security of the decryption key or process “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key and such confidential process or key that might enable decryption has not been breached.”

30 Two Methods Identified Under Guidance
Second Method Destruction of PHI both in paper and electronic form as a method for rendering such information unusable, unreadable, or indecipherable to unauthorized individuals. If PHI is destroyed prior to disposal in accordance with this guidance, no breach notification is required following access to the disposed hard copy or electronic media by unauthorized persons.

31 Destruction of PHI Media on which PHI is stored or recorded must be destroyed in one of the following ways: Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed. Electronic media have been cleared, purged, or destroyed consistent with NIST , Guidelines for Media Sanitization, such that PHI cannot be retrieved.

32 Group Check Encryption Destruction Storage
Strength of encryption standards have been tested against guidance for “secured PHI” Destruction requirements have been implemented for paper and electronic media Electronic and paper storage requirements have been evaluated

33 ARRA/HITECH - Security Requirements for the Business Associate
Application of the Security provisions now hold the Business Associate responsible to comply with: § (Administrative Safeguards) § (Physical Safeguards) § (Technical Safeguards) § (Policies and Procedures and Documentation Requirements)

34 Impact to Practices Increased enforcement raises the need for tighter internal compliance Breach Notification rules put the practice at risk if the information breached was not Secured Increased importance of ensuring all Business Associate Agreements are up to date and enforced Annual review of Business Associate Agreements

35 Guidance and Regulations Forthcoming
Final rules for: Breach Notification; Enforcement; Modifications to Privacy and Security related to HITECH New rules will be introduced sometime in March – all rules will be released at once. Proposed rule on Accounting of Disclosures – expected sometime in 2011 – working to expand accounting to include treatment, payment, and health care operations when they occur from an EHR Detailed audit plan to be released in 2011

36 Technology and Compliance
Many technology changes are being introduced into the industry: Electronic signatures Electronic Medical Records (EMRs) PDAs I-PADs Notebooks New uses of technology will need to be re-evaluated for updated compliance practices and controls

37 Security Rules 164.302 Applicability. 164.304 Definitions.
Security Standards: General Rules. Administrative Safeguards. Physical Safeguards. Technical Safeguards. Organizational Requirements. Policies and Procedures and Documentation Requirements. Compliance Dates for the Initial Implementation of the Security Standards.

38 Group Check Security Risk Assessment has been performed
Access has been assessed for all employees and vendors Contingency Plans have been developed and tested Security Training and Awareness has been completed Risks, Threats and Vulnerabilities have been identified Appropriate authorization and supervision of access has been implemented Back-up plans, disaster recovery, emergency mode of operation plans Security Reminders Protection from Malicious Software Log-in Password Management

39 Are you compliant ready?
Compliance readiness

40 Required Tasks – Performing the e-PHI Trail
Analyze uses and disclosures Identify Business Associates Confirm use of authorizations Implement procedures for personal representatives Identify release and disclosures allowed or required by law Create Minimum Necessary rules Create Notice of Privacy Practices Implement Patient Right Activities Perform annual training Create Policies and Procedures Create final compliance documentation Privacy

41 Required Tasks – Performing the e-PHI Trail
Analyze electronic use and disclosure of e-PHI Determine mechanisms utilized to create, transmit, store and/or destroy information Review current access authorizations and supervision Review continuity plans Assess risks, threats and vulnerabilities Perform system control tests Implement secure transmissions Implement physical facility securities Perform annual Security Awareness and Training Document compliance assessment findings Identify implementation tasks Complete tasks Create final documentation Security

42 Chris Duprey & Carrie Romandine
Questions and Answers Presented by: Chris Duprey & Carrie Romandine CARIS Innovation, Inc. 5871 Main St. Abrams, WI 54101

Download ppt "WSOPP HIPAA Compliance"

Similar presentations

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Basics November 1, 2014.

HIPAA Basics November 1, 2014.
1. As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they.

1. As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.

Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.

Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.

HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.
WHAT IS HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides certain protections for any of your health information.

WHAT IS HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides certain protections for any of your health information.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.

2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Are you ready for HIPPO??? Welcome to HIPAA

Are you ready for HIPPO??? Welcome to HIPAA

Similar presentations

Ads by Google