Presentation is loading. Please wait.

Presentation is loading. Please wait.

(c) 2013 James J. Eischen, Jr., Esq.

Published byBlake Reid Modified over 11 years ago

Similar presentations

Presentation on theme: "(c) 2013 James J. Eischen, Jr., Esq."— Presentation transcript:

1 (c) 2013 James J. Eischen, Jr., Esq.
FIVE “EASY” STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS James J. Eischen, Jr., Esq. October 2013 Chicago, Illinois (c) 2013 James J. Eischen, Jr., Esq.

2 (c) 2013 James J. Eischen, Jr., Esq.
Partner at Higgs, Fletcher & Mack, LLP 26+ years of experience as an attorney in California Experience in the healthcare field: medical groups, EHR firms, health coaching enterprises and healthcare products. Graduated from the University of California at Davis School of Law. Professional Memberships: San Diego County Bar Association Law & Medicine Section, Attorney-Client Relations Committee, State Bar Of California Section Member, AAPP Corporate Secretary (c) 2013 James J. Eischen, Jr., Esq.

3 Understand The Purpose Of HIPAA
STEP ONE Understand The Purpose Of HIPAA (c) 2013 James J. Eischen, Jr., Esq.

4 (c) 2013 James J. Eischen, Jr., Esq.
WHAT IS HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information. To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule. The Privacy Rule (Standards for Privacy of Individually Identifiable Health Information) establishes national standards for the protection of certain health information. The Security Rule (Security Standards for the Protection of Electronic Protected Health Information) establishes a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (e-PHI). Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties. (c) 2013 James J. Eischen, Jr., Esq.

5 (c) 2013 James J. Eischen, Jr., Esq.
KEY TERMS “Unsecured” PHI PHI that is not rendered unusable, unreadable or indecipherable to unauthorized persons specified by HHS Encryption and destruction ePHI Electronic PHI Breach Acquisition, access, use or disclosure of PHI PHI security or privacy is compromised (c) 2013 James J. Eischen, Jr., Esq.

6 Look At Basic HIPAA Compliance (Privacy And Security Rules)
STEP TWO Look At Basic HIPAA Compliance (Privacy And Security Rules) (c) 2013 James J. Eischen, Jr., Esq.

7 (c) 2013 James J. Eischen, Jr., Esq.
SECURITY RULE Prior to HIPAA, no generally accepted federal security standards or general requirements for protecting health information. New technologies evolving. Health care industry moves away from paper processes to electronic information systems to pay claims, answer eligibility questions, provide health information and conduct a host of other administrative and clinically based functions.  Providers use clinical applications such as computerized physician order entry (COPE) systems, electronic health records (EHR), and radiology, pharmacy, and laboratory systems. Security Rule: Protects the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care. Security Rule is designed to be flexible and scalable so a covered entity can implement policies, procedures, and technologies that are appropriate for the entity’s particular size, organizational structure, and risks to consumers’ ePHI.  (c) 2013 James J. Eischen, Jr., Esq.

8 (c) 2013 James J. Eischen, Jr., Esq.
SECURITY RULE APPLIED Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting ePHI. Specifically, covered entities must: Ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain or transmit; Identify and protect against reasonably anticipated threats to the security or integrity of the information; Protect against reasonably anticipated, impermissible uses or disclosures; and Ensure compliance by their workforce. (c) 2013 James J. Eischen, Jr., Esq.

9 PRIVACY RULE: CONFIDENTIALITY
The Privacy Rule defines “confidentiality” to mean that ePHI is not available or disclosed to unauthorized persons. The Privacy Rule prohibits improper uses and disclosures of ePHI. (c) 2013 James J. Eischen, Jr., Esq.

10 SO, WHAT SECURITY MEASURES MUST BE IMPLEMENTED?
Security Rule does not dictate measures, but requires the covered entity to consider: Its size, complexity, and capabilities, Its technical, hardware, and software infrastructure, The costs of security measures, and   The likelihood and possible impact of potential risks to e-PHI. Covered entities must review and modify their security measures to continue protecting e-PHI in a changing environment. (c) 2013 James J. Eischen, Jr., Esq.

11 (c) 2013 James J. Eischen, Jr., Esq.
(c) 2013 James J. Eischen, Jr., Esq.

12 Evaluate What Changed With The Omnibus/Final Rule
STEP THREE Evaluate What Changed With The Omnibus/Final Rule (c) 2013 James J. Eischen, Jr., Esq.

13 BEFORE AND AFTER OMNIBUS RULE
BA regulated through BAAs After BAs and subcontractors regulated directly under HIPAA BAs are CEs, and must comply with Security Rule (c) 2013 James J. Eischen, Jr., Esq.

14 EXPANDED DEFINITION OF CE
CE: On behalf of a covered entity (CE), creates, receives, maintains or transmits PHI Subcontractor of a BA Role + responsibilities of BA = CE BA requirements/exposure not defined simply because it is a party to a BAA (c) 2013 James J. Eischen, Jr., Esq.

15 (c) 2013 James J. Eischen, Jr., Esq.
NOT A BA Those who simply provide “transmission services” Digital couriers or “mere conduits” But if you store personalized ePHI, even if you do not view it, you are a BA/CE (c) 2013 James J. Eischen, Jr., Esq.

16 (c) 2013 James J. Eischen, Jr., Esq.
SUBCONTRACTORS Contract between the CE’s BA and the BA’s subcontractor must satisfy the BAA requirements Subcontractor of a subcontractor of a subcontractor of a subcontractor all BAS HIPAA/HITECH obligations apply to subcontractors (c) 2013 James J. Eischen, Jr., Esq.

17 (c) 2013 James J. Eischen, Jr., Esq.
OMNIBUS/FINAL RULE All covered entities must review documentation including business associate agreements, notice of privacy practices, and their policies and procedures to ensure compliance with the Final Rule BAA and NPP MUST BE UPDATED (c) 2013 James J. Eischen, Jr., Esq.

18 (c) 2013 James J. Eischen, Jr., Esq.
PRESUMPTION OF BREACH Interim Final Rule Risk assessment to determine if unauthorized ePHI access, use or disclosure caused harm No presumption of a breach Final Rule Unauthorized access, use or disclosure presumed to be a breach unless CE determines low probability ePHI was compromised (c) 2013 James J. Eischen, Jr., Esq.

19 POTENTIAL BREACH EVALUATION
CE must evaluate Nature and extent of ePHI Unauthorized person who used ePHI Whom disclosure was made ePHI actually viewed or acquired How risk was mitigated DOCUMENT, DOCUMENT, DOCUMENT AND THEN DOCUMENT SOME MORE (c) 2013 James J. Eischen, Jr., Esq.

20 (c) 2013 James J. Eischen, Jr., Esq.
BREACH NOTIFICATION BA must provide notice of breach To CE Breach treated as discovered as of 1st day when known or would have been known When by exercising reasonable diligence would have breach been known? Subcontractor BA gives notice to BA (c) 2013 James J. Eischen, Jr., Esq.

21 (c) 2013 James J. Eischen, Jr., Esq.
ELECTRONIC ACCESS “Reasonable” safeguards If PHI owner wants PHI sent unencrypted, CE needs to let individual know of risks DOCUMENT ePHI OWNER’S CONSENT Secure mechanism Electronic “machine readable copy” Can be used on a computer PDFs If a PHI owner asks for specific format, CE needs to accommodate when possible (c) 2013 James J. Eischen, Jr., Esq.

22 FEES CHARGED FOR ELECTRONIC RECORDS?
Labor costs only Retrieval costs or capital costs not allowed to be charged Supplies upon request can be charged Best practice is to list fees on authorization/consent form itself (c) 2013 James J. Eischen, Jr., Esq.

23 ACCESS TO THIRD PARTIES
Individual can request CE to send ePHI to another individual In writing Electronic OK but verification needed Identify who is the receiver PHI must still be protected when sent to third party (c) 2013 James J. Eischen, Jr., Esq.

24 RESTRICTIONS/ACCOUNTING RULE
Individual can restrict ePHI to health plan when paying out of pocket in full for a service (Accounting Rule) CE need to develop how to track restrictions CEs submit restricted ePHI for required audits when “required by law” (c) 2013 James J. Eischen, Jr., Esq.

25 Identify Necessary HIPAA Compliance Steps
STEP FOUR Identify Necessary HIPAA Compliance Steps (c) 2013 James J. Eischen, Jr., Esq.

26 Update Your Documentation!
(c) 2013 James J. Eischen, Jr., Esq.

27 HIPAA COMPLIANCE: BASIC DOCUMENTATION
Notice of Privacy Practices (NPP) Business Associate Agreement (BAA) Internal risk analysis memo Practice’s written office procedures and processes must be examined thoroughly Evaluate risks and decide how to address those risks (c) 2013 James J. Eischen, Jr., Esq.

28 (c) 2013 James J. Eischen, Jr., Esq.
SO, WHAT DO I DO? Update BAA Update NPP Update internal risk assessment memo Ensure electronic records access not subject to unlawful charges (c) 2013 James J. Eischen, Jr., Esq.

29 Electronic Communications, Scheduling & Records Management
STEP FIVE Electronic Communications, Scheduling & Records Management (c) 2013 James J. Eischen, Jr., Esq.

30 HIPAA/PRIVACY COMPLIANCE WITH ELECTRONIC COMMUNICATIONS
Electronic data storage of any kind = HIPAA (c) 2013 James J. Eischen, Jr., Esq.

31 (c) 2013 James J. Eischen, Jr., Esq.
SHOULD MY PHYSICIAN-PATIENT AGREEMENT DEAL WITH ELECTRONIC COMMUNICATIONS Not recommended! Need separate ePHI agreement for risk management/HIPAA compliance HIPAA Final Rule: Non-compound ePHI consent (c) 2013 James J. Eischen, Jr., Esq.

32 CHECK MARKETING/PRACTICE COMMUNICATION PLATFORMS FOR COMPLIANCE
Website Calendar/Scheduling FAQs Patient letters Staff training!!! Is this all really necessary? (Hint—The correct answer is not “no”) (c) 2013 James J. Eischen, Jr., Esq.

33 So What Can Go Wrong Anyway?
Case Study: Arizona Cardiologist Fined $100,000 and ordered to take corrective action to implement policies and procedures to safeguard the protected health information of its patients. (c) 2013 James J. Eischen, Jr., Esq.

34 (c) 2013 James J. Eischen, Jr., Esq.
WHAT WENT WRONG? Inadequate internal risk analysis Lack of staff training No BAA with outside IT vendor for web calendar Bottom Line: an internal risk analysis memo and awareness of patient privacy rights can avoid fines/penalties (c) 2013 James J. Eischen, Jr., Esq.

35 (c) 2013 James J. Eischen, Jr., Esq.
Questions? James J. Eischen, Jr., Esq. Office: (619) Skype: jeischenjr (c) 2013 James J. Eischen, Jr., Esq.

Download ppt "(c) 2013 James J. Eischen, Jr., Esq."

Similar presentations

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.

“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
Steps to Compliance: Managing Business Associates PRESENTED BY.

Steps to Compliance: Managing Business Associates PRESENTED BY.
HIPAA Basics November 1, 2014.

HIPAA Basics November 1, 2014.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
HIPAA What’s New? 2010. What Is HIPAA Health Insurance Portability and Accountability Act of 1996 Health Insurance Portability and Accountability Act.

HIPAA What’s New? What Is HIPAA Health Insurance Portability and Accountability Act of 1996 Health Insurance Portability and Accountability Act.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.

HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
CHAPTER © 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2 The Use of Health Information Technology in Physician Practices.

CHAPTER © 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2 The Use of Health Information Technology in Physician Practices.
Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.

Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.
W W W. L E C L A I R R Y A N. C O M Revisiting the PHI Breach Under HIPAA and HITECH and Considerations for Ophthalmologists Neil H. Ekblom, Esq. 885 Third.

W W W. L E C L A I R R Y A N. C O M Revisiting the PHI Breach Under HIPAA and HITECH and Considerations for Ophthalmologists Neil H. Ekblom, Esq. 885 Third.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

Similar presentations

Ads by Google