Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA Privacy and Security Summit 2018 HIPAA Privacy Rule: Compliance Plans, Training, Internal Audits and Patient Rights Widener University Delaware.

Similar presentations


Presentation on theme: "HIPAA Privacy and Security Summit 2018 HIPAA Privacy Rule: Compliance Plans, Training, Internal Audits and Patient Rights Widener University Delaware."— Presentation transcript:

1 HIPAA Privacy and Security Summit HIPAA Privacy Rule: Compliance Plans, Training, Internal Audits and Patient Rights Widener University Delaware Law School 1st Healthcare Compliance Wilmington, Delaware November 8, 2018 Catherine E. Walters, Esquire Ann Waldo, JD, CIPP Bybel Rutledge LLP Waldo Law Offices, PLLC Lemoyne, PA Washington, D.C. George W. Bodenger, Esquire Law Offices of George W. Bodenger LLC Radnor, PA

2 Today’s Agenda More on the HIPAA Privacy Rule and compliance
Compliance strategies Compliance programs Employee training and education Self audits Patient and provider rights Panel discussion and questions

3 Compliance Strategies
Goals Comply with HIPAA privacy standards Protect patient privacy Minimize costs of protecting privacy and compliance Considerations Organization size Treatment relationship Organizational structure

4 Compliance Strategy? ©HarrisBiomedical

5 Compliance Programs The 7 elements of a compliance program:
Standards and procedures Oversight by appropriate official Education and training Auditing and monitoring Open lines of communication Enforcement and discipline Response and prevention

6 Compliance Programs HIPAA privacy standards and protocols require coverage of broad territory, for example: Privacy policies and procedures Notice and authorization forms “Minimum Necessary” standard Business associate contracts Access to and amendment of PHI Complaint procedures Documentation procedures and systems Privacy training Privacy auditing and monitoring

7 Policies and Procedures
Privacy and Security policies and procedures HIPAA handbooks for office staff and for clinical staff that explain: The privacy and security standards How to protect privacy, confidentiality and security of PHI, including working with patients, patient information, use of health information, safeguarding PHI and following protocols How to report suspected privacy and security incidents Consequences of noncompliance

8 Privacy Policies & Procedures
Privacy official designation Staff responsibilities Training and education Reporting of suspected violations Investigation of potential staff violations Sanctions and penalties Business associates Development and maintenance of policies and procedures Documentation and record keeping

9 Privacy Policies & Procedures
PHI use and disclosure for numerous different purposes Communications and media relations Notice of privacy practices Authorization of use or disclosure Patient requests to restrict uses/disclosures Personal representatives Parental access to PHI of children Disclosure of PHI to family members

10 Privacy Policies & Procedures
Patient access to PHI Amendment of health information Accounting to patients for disclosures Complaints Complaint resolution procedures Mitigation Nonretaliation and protection for whistleblowers

11 Security Policies & Procedures
Assigning security responsibility Security management process Risk analysis Risk management Sanction policy Information system activity review Workforce security: Authorization/supervision Workforce clearance Termination procedures

12 Security Policies & Procedures
Information access management: Access authorization Access establishment and modification Security awareness and training Security reminders Protection from malicious software Log-in monitoring Password management Security incident procedures

13 Security Policies & Procedures
Contingency planning Business associate contracts Facility access controls Workstation security Device and media controls Access, audit and integrity controls Person or entity authentication Transmission security

14 Compliance Training HIPAA includes multiple different workforce training requirements Privacy (45 CFR § (b)) Security (45 CFR § (a)(5)) Training of all staff is required Office staff Clinical staff State laws may also apply – if more stringent than HIPAA, state law controls

15 Privacy Training Policies and procedures Employee handbooks
Increase awareness of privacy issues Educate on specific privacy requirements Educate on policies and procedures adopted to meet HIPAA requirements Examine day-to-day activities and review impact on how people do their jobs

16 Privacy Training Interaction with patients during office visits and subsequent uses of the patient’s information: Collection of PHI Use and disclosure of PHI Claims and bookkeeping Accounting for disclosures Patient right to review information Patient right to correct information

17 Privacy Training Using and sharing information
Use and disclosure without authorization Sharing information with family/friends involved in patient’s care Incidental disclosures Notice of privacy practices Purpose and content of notice Procedures for documenting that notice has been provided to patients

18 Privacy Training Authorization Accounting for disclosures
When authorization is required Content of authorization Procedures to obtain authorization Accounting for disclosures Records of accountings Procedures for requesting accountings Content of accountings

19 Privacy Training Patient access to information
Procedures for patients to obtain PHI Procedures to request changes or corrections Privacy training should be refreshed on a regular basis – some states require annual training New employees and employees who change jobs should receive training When policies and procedures change, training should be provided to affected employees

20 Security Training Security training
Increase awareness of security issues Educate on specific privacy and security requirements Educate on policies and procedures adopted to meet HIPAA privacy and security requirements Examine day-to-day activities and review impact on how people do their jobs

21 Security Training Information security rule
Maintain confidentiality, integrity and availability of ePHI Protect against reasonably anticipated threats or hazards to security or integrity of information Protect against reasonably anticipated uses or disclosures not permitted or required under HIPAA Maintain worker compliance with HIPAA

22 Security Training Administrative safeguards Physical safeguards
Technical safeguards Privacy and security training General security policies Physical and workstation security Passwords Periodic security reminders

23 Privacy and Security go Hand-in-Hand!

24 HIPAA Internal Audits Why perform an internal audit?
Auditing and monitoring → compliance Security rule requirements What information should be audited? Privacy Rule elements Security Rule requirements HHS audit protocol items Trigger events

25 HIPAA Internal Audits What are trigger events?
Conditions or events that suggest unauthorized access to ePHI may have occurred, for example: Data breach Patient complaints After hours activity Employee viewing records of patients EE was not involved in treating Employee viewing records of other employees Employee viewing records of patients involved in high-profile events or with specific diagnoses

26 HIPAA Internal Audits Creating an audit plan Conducting the audit
Evaluating audit findings Preliminary and final reports Recommendations and follow-up or corrective actions Establishing a routine audit schedule Monitoring

27 Patient and Provider Rights
Patients have the right to: Inspect and obtain copies of their own health information, including in electronic form if the provider maintains it electronically Request corrections or amendments to their own health information if they believe it contains errors Have corrections communicated to others Dispute a provider’s denial of a request for corrections or amendments to their records

28 Patient and Provider Rights
Providers have the right to: Deny access to certain types of information Charge reasonable fees for copies, including copies provided in electronic format Deny requests for correction or amendments within specific parameters Must provide written notice to patient with reasons for denial and procedures for disputing the denial Provider must maintain records of all such correspondence

29

30 Panel Discussion Identifying trigger events
Real life scenarios (truth is stranger than fiction!) Implementing change and getting it right Questions and answers


Download ppt "HIPAA Privacy and Security Summit 2018 HIPAA Privacy Rule: Compliance Plans, Training, Internal Audits and Patient Rights Widener University Delaware."

Similar presentations


Ads by Google