Presentation is loading. Please wait.

Presentation is loading. Please wait.

What is HIPAA in 2016? Presented By: Suze Shaffer, CHSP

Published byCarmella Allison Modified over 6 years ago

Similar presentations

Presentation on theme: "What is HIPAA in 2016? Presented By: Suze Shaffer, CHSP"— Presentation transcript:

1 What is HIPAA in 2016? Presented By: Suze Shaffer, CHSP
HIPAA Security Analyst ©2016 Aris Medical Solutions. All Rights Reserved

2 Topics Covered Today HIPAA, 1996 HIPAA PRIVACY RULE, 2003
HIPAA SECURITY RULE, 2005 THE HITECH ACT, 2009 OMNIBUS RULE, 2013 BREACH NOTIFICATION RULE THE ENFORCEMENT RULE ©2016 Aris Medical Solutions. All Rights Reserved

3 Legal Notice Nothing contained herein should be considered to be legal advice. All recommendations are from NIST, DHHS, CMS, OCR, and the guidelines set forth under HIPAA and the HITECH Act. Always consult with your attorney when you have legal matters. ©2016 Aris Medical Solutions. All Rights Reserved

4 HIPAA The Health Insurance Portability and Accountability Act of 1996 (enacted August 21, 1996) was enacted by the United States Congress and signed by President Bill Clinton in It has been known as the Kennedy-Kassebaum Act or Kassebaum-Kennedy Act after two of its leading sponsors. Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. ©2016 Aris Medical Solutions. All Rights Reserved

5 Privacy Rule The HIPAA Privacy Rule established national standards to protect individuals’ medical records and other personal health information. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections. ©2016 Aris Medical Solutions. All Rights Reserved

6 Privacy Rule Requirements
Covered Entities and their Business Associates are required under Federal law to protect PHI. Protected Health Information (PHI) Which is individually identifiable health information transmitted or maintained in any form or medium (including orally or written). PHI is any information about health status, whether past, present, or future, provision of health care, or payment for health care that can be linked to a specific individual. ©2016 Aris Medical Solutions. All Rights Reserved

7 Security Rule Security Rule protects the confidentiality, integrity, and available of electronic protected health information (ePHI). This rule was written by NIST, the National Institute of Standards and Technology. ©2016 Aris Medical Solutions. All Rights Reserved

8 HITECH ACT The Health Information Technology for Economic and Clinical Health Act, abbreviated HITECH Act, was enacted under of the American recovery and reinvestment Act of 2009 to promote the adoption of the use of Electronic Medical Records. The act stipulates that, as of 2011, healthcare providers would be offered financial incentives for demonstrating meaningful use of electronic health records (EHRs). Incentives will be offered until After that point, penalties may be charged for failing to demonstrate such use. It also included interim rules until the “Final” Rules could be defined. ©2016 Aris Medical Solutions. All Rights Reserved

9 This is NOT new! Since Electronic Medical Records were not as prevalent in 2005 as they are today, the Security Rule has been ignored for years. When the “Meaningful Use” criteria was created in the HITECH Act, the Security Rule was re-introduced as a Core Measure . ©2016 Aris Medical Solutions. All Rights Reserved

10 MU Core Measure PROTECT ELECTRONIC HEALTH INFORMATION…
What the Measure Requires Conduct or review a security risk analysis in accordance with the requirements under 45 CFR (a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. What That Means for You You have to meet the same HIPAA requirements for protecting patient information in your EHR as you do for paper records. To do this, you must conduct a security review of your system and correct any problems that could make patient information vulnerable. Are You Excluded from Having to Do This? There is no exclusion for this objective. Everyone has to meet it. ©2016 Aris Medical Solutions. All Rights Reserved

11 Omnibus Rule The Omnibus Rule modified the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Enforcement Rules to implement statutory amendments under the Health Information Technology for Economic and Clinical Health Act (“the HITECH Act”) to strengthen the privacy and security protection for individuals' health information. The Omnibus Rule is also known as the “Final Rule”. Entities now include Business Associates and Subcontractors of Business Associates, as well as the Covered Entities themselves. It modified the rule for Breach Notification for Unsecured Protected Health Information (Breach Notification Rule), and removed the “harm” threshold when determining whether or not a breach had occurred. Organizations must “prove” the information was not accessed by an unauthorized entity or they must report the breach. The Omnibus Rule also modified the HIPAA Privacy Rule to strengthen the privacy protections for genetic information by implementing section 105 of Title I of the Genetic Information Nondiscrimination Act of 2008 (GINA). ©2016 Aris Medical Solutions. All Rights Reserved

12 Breach Notification Rule
Federal law requires Covered Entities to report a data breach of over 500 patient records to their patients within 60 days as well as the Office of Civil Rights. The only exemption is if the data was encrypted or it can be confirmed the data was not accessed or viewed. Check your State laws, because State law supersedes Federal if they are more stringent. Forty-seven states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted legislation requiring entities to notify individuals of security breaches. For example: Florida entities only have 30 days to advise their patients and the Department of Legal Affairs. ©2016 Aris Medical Solutions. All Rights Reserved

13 Enforcement Rule “This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce The HIPAA privacy and security protections.” - HHS Office for Civil Rights Former Director, Leon Rodriguez (Jocelyn Samuels is the current Director) HIPAA Enforcement is on the way! ©2016 Aris Medical Solutions. All Rights Reserved

14 Who enforces HIPAA? Plus, you can be fined for NOT KNOWING!
Since the government considers a HIPAA violation to be a violation of Constitutional Rights, the Office for Civil Rights (OCR) investigates and enforces Privacy violations. Fines and penalties can be serious. Willful neglect fines range from $50,000 to $1.5 million per violation, along with jail times up to 10 years. Plus, you can be fined for NOT KNOWING! ©2016 Aris Medical Solutions. All Rights Reserved

15 First things First… Assign a HIPAA Privacy Officer &
HIPAA Security Officer Commonly known as the Compliance Officer This can be assigned to one person in smaller offices, but everyone needs to participate in the compliance efforts. These are not just job titles, the positions have responsibilities under Federal Law. These officers are responsible for the creation, implementation, and enforcement of the HIPAA Privacy and Security Rule. ©2016 Aris Medical Solutions. All Rights Reserved

16 How to Prepare Take Compliance One Step at a Time
©2016 Aris Medical Solutions. All Rights Reserved

17 One Step at a Time Step 1 Security Management Process
©2013 Aris Medical Solutions. All Rights Reserved

18 Security Risk Analysis
a thorough review of your practice’s HIPAA compliance. Put simply, a SRA is a snapshot of where your organization is today with processes, documentation, and training related to protected health information you store on your computer systems and maintain in your office. Be sure to have a documented Risk Management Plan is place to mitigate any vulnerabilities that are discovered. ©2013 Aris Medical Solutions. All Rights Reserved

19 One Step at a Time Contingency Plan Step 2
©2013 Aris Medical Solutions. All Rights Reserved

20 Contingency Plan 1/3 of The HIPAA Security Rule goes over the requirements your practice must have in place to deal with disasters and emergencies. Your office must have a detailed, documented plan to respond to emergencies and outline your plans to get back up and operational. You must have a plan in place to protect and restore your data! ©2016 Aris Medical Solutions. All Rights Reserved

21 Breach Notification Plan
One Step at a Time Step 3 Breach Notification Plan ©2013 Aris Medical Solutions. All Rights Reserved

22 What is a Breach? Mailing PHI to the wrong address
a “breach” is… the impermissible use or disclosure of protected health information by a covered entity or a business associate. Mailing PHI to the wrong address Faxing PHI to the wrong number Lost or stolen laptops, tablets, and phones Stolen desktops and servers Cyber attacks Disgruntled employees can even cause a breach ©2013 Aris Medical Solutions. All Rights Reserved

23 One Step at a Time Documentation Step 4
©2016 Aris Medical Solutions. All Rights Reserved

24 HIPAA Forms Some of the forms that you must have and be updated to the HIPAA HITECH Standard: Notice of Privacy Practices Patient Authorization Forms Confidential Communications Acknowledgement if payment is received for marketing of PHI Fundraising opt-outs ©2016 Aris Medical Solutions. All Rights Reserved

25 HIPAA Forms $150,000 Fine Depends on loss Same Fine as BA
Breach Notification Plan Contingency Plan Business Associate Agreements Device and Media Destruction or reuse form Encryption log Reports from your IT department or vendor $150,000 Fine Depends on loss Same Fine as BA $1,200,000 Fine $1,700,000 Fine $150,000 Fine unpatched software ©2016 Aris Medical Solutions. All Rights Reserved

26 If it’s not documented, it’s not done.
Documentation If it’s not documented, it’s not done. ©2016 Aris Medical Solutions. All Rights Reserved

27 Privacy Policies & Procedures
One Step at a Time Step 5 Privacy Policies & Procedures ©2016 Aris Medical Solutions. All Rights Reserved

28 Privacy Rule Privacy Rule addresses the patient’s rights.
Your employees should know these rules better than the patients. There are 25 HIPAA Privacy Policies and Procedures, depending on the type of organization, maybe MORE! Ensure that your Policies and Procedures are consistent with your Notice of Privacy Practices, the OCR is watching to make sure you are doing, what you say you are doing! ©2016 Aris Medical Solutions. All Rights Reserved

29 One Step at a Time Security Policies & Procedures Step 6
©2016 Aris Medical Solutions. All Rights Reserved

30 Security Rules Security Rule pertain to the IT Security, Contingency Planning, and the physical security of your PHI and ePHI. There are 56 HIPAA Security Policies and Procedures that need to be implemented. Some are Required and some are Addressable Standards… ©2016 Aris Medical Solutions. All Rights Reserved

31 Protect Patient Data You must have “Robust” measures in place to review system activity. This is known as an Audit Log Review. ©2016 Aris Medical Solutions. All Rights Reserved

32 Protect Patient Data Reviewing your Audit logs are required under the HIPAA HITECH. Most organizations do not know what they are or how to access them. Have you had a breach? Would you know if you did? ©2016 Aris Medical Solutions. All Rights Reserved

33 Protect Patient Data If ePHI is encrypted
& you have a cyber attack or a device is stolen, you will not be required to report a breach. Encryption is the only Safe Harbor against a data breach and a breach notification. IT MUST BE DOCUMENTED! ©2016 Aris Medical Solutions. All Rights Reserved

34 One Step at a Time Resources & Solutions Step 7
©2016 Aris Medical Solutions. All Rights Reserved

35 Where can I find more Info?
CMS Guidance and regulations: HHS Privacy Rule summary: HHS Security Rule Summary: HIPAA Enforcement: OCR Audit Protocol: OCR and the States Attorney General: ©2016 Aris Medical Solutions. All Rights Reserved

36 Got Questions? Contact: Suze Shaffer 877.659.2467 x 119
©2016 Aris Medical Solutions. All Rights Reserved

Download ppt "What is HIPAA in 2016? Presented By: Suze Shaffer, CHSP"

Similar presentations

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
HIPAA What’s New? 2010. What Is HIPAA Health Insurance Portability and Accountability Act of 1996 Health Insurance Portability and Accountability Act.

HIPAA What’s New? What Is HIPAA Health Insurance Portability and Accountability Act of 1996 Health Insurance Portability and Accountability Act.
Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.

Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.

Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna 412-396-4419.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
CHAPTER © 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2 The Use of Health Information Technology in Physician Practices.

CHAPTER © 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2 The Use of Health Information Technology in Physician Practices.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
HIPAA THE PRIVACY RULE Reviewed December 2012 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-

HIPAA THE PRIVACY RULE Reviewed December HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.

2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.

HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.
Privacy, Security, Confidentiality, and Legal Issues

Privacy, Security, Confidentiality, and Legal Issues

Similar presentations

Ads by Google