Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA Basics November 1, 2014.

Published byShirley Lemmon Modified over 10 years ago

Similar presentations

Presentation on theme: "HIPAA Basics November 1, 2014."— Presentation transcript:

1 HIPAA Basics November 1, 2014

2 Contents Fields & Associates Policy Terms & Definitions HIPAA Timeline
Review of Basics Privacy Security Breach Enforcement References

3 F&A Policy It is the policy of Fields & Associates, Inc. to comply with all applicable laws rules and regulations governing the privacy and security of patient information. Anyone connected with Fields and Associates who has access to protected health information (PHI) is required to read and agree to the F&A HIPAA Privacy & Security Policy posted at

4 Terms & Definitions ARRA – American Recovery an Reinvestment Act of 2009 BA – Business Associate CE – Covered Entity CMP – Civil Monetary Penalty CMS – Centers for Medicare and Medicaid Services EPHI – Electronic Protected Health Information HHS – Department of Health and Human Services HIPAA – Health Insurance Portability and Accountability Act HITECH – Health Information Technology for Economic & Clinical Health ONC – Office of the National Coordinator OCR – Office for Civil Rights PHI – Protected Health Information

5 Terms & Definitions Covered Entity is defined as: A health plan;
A health care clearinghouse A health care provider who transmits any health information in electronic form in connection with a covered transaction Business Associate is defined as: a person who creates, receives, maintains, or transmits PHI for a function or activity on behalf of a covered entity. The BA provides, other than in the capacity of a member of the CE’s workforce, such services as legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial.

6 Terms & Definitions The definition of a business associate includes a “subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.” Subcontractor means: “a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate.” Therefore, all subcontractors of F&A who have access to PHI are required to abide by the same HIPAA requirements as F&A and are responsible for same.

7 HIPAA Timeline August 21, The Health Insurance Portability and Accountability Act (HIPAA) was signed into law. April 14, Deadline for Covered Entities to comply with the Privacy Rule. October 16, Deadline for Covered Entities to comply with the Transactions and Code Sets Rule. April 20, Deadline for Covered Entities to comply with the Security Rule. March 13, The Enforcement Rule goes into effect.  February 17, The American Recovery and Reinvestment Act of 2009 (ARRA) was signed into law. ARRA includes the Health Information Technology for Economic and Clinical Health (HITECH) Act, which mandates the US Department of Health and Human Services to develop new regulations related to the HIPAA provisions.

8 HIPAA Timeline cont’d September 23, The Interim Final Rule goes into effect requiring Covered Entities to notify patients when a breach of their unsecured, protected health information occurs. January 17, 2013, the U.S. Department of Health and Human Services (HHS) releases the Omnibus Final Rule, implementing the changes required by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009.  March 26, 2013 – The Omnibus Final Rule takes effect. September 23, 2013 – Covered Entities, Business Associates, and subcontractors must be in compliance with most provisions under the Final Rule.

9 The Basics Privacy Security Breach Enforcement
We will touch on the following topics: Privacy Security Breach Enforcement

10 Privacy The Privacy Rule covers protected health information (PHI) that: Relates to the individuals’ past, present or future physical or mental health condition; the provision of health care to an individual; or to the past, present, or future payment for the provision of health care to the individual; And Either identifies the individual, or for which there is a reasonable basis to believe it can be used to identify the individual

11 Privacy There is an expectation that disclosures and release of information of any kind are kept to the “minimum necessary”. Minimum necessary refers to the practice of limiting disclosure of information to that information reasonably necessary to accomplish the purpose for which disclosure is sought. For example, if there was a request for a patient’s diagnosis, then you should only release the diagnosis and would NOT release a copy of a document such as a discharge summary that contains the diagnosis AND other information. This might require taking extra steps such as abstracting information or redacting information from a document, but it is absolutely necessary in order to comply with the “minimum necessary” provision.

12 Privacy Associates, contractors and sub-contractors of F&A:
Will only use PHI/EPHI as permitted and/or outlined in the business associate contract and/or F&A Project Agreement. Will not share PHI/EPHI with unauthorized individuals Will not leave PHI/EPHI where it can be easily seen/accessed Will secure all PHI/EPHI when not in use Will return to F&A or destroy PHI/EPHI upon the completion of the project or engagement Will take appropriate safeguards (such as encryption) when transmitting PHI/EPHI electronically

13 Security The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity or business associate. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

14 Security Administrative Safeguards are:
administrative actions, and policies and procedures to manage the selection, development, implementation and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s or business associate’s workforce in relation to the protection of that information. Physical Safeguards are: physical measures, policies, and procedures to protect a covered entity’s or business associate’s electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion.

15 Security Technical Safeguards are:
the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.

16 Security So what does this mean? There must be:
Written policies and procedures Physical safeguards such as locked doors, locked file cabinets and access control to physical locations Restricted access to electronically stored data by use of things such a passwords Use of encryption or other secured means for transmitting PHI

17 Breach Breach means The acquisition, access, use or disclosure of protected health information in a manner not permitted by the Privacy/Security Rules that compromises the security or privacy of the PHI. Exceptions: Unintentional acquisition, access or use by CE or BA staff as long as it doesn’t result in further use or disclosure Inadvertent disclosure within a CE or BA organization that is not further used or disclosed A disclosure where a CE or BA has a good faith belief that the unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

18 Breach Breach Notification
A business associate is required to notify the covered entity no later than 60 days after the discovery of a breach of protected health information. Therefore, any contractor working for F&A who has knowledge of a breach of PHI, must report the details of the breach to the CEO, Richard Fields, MD as soon as the breach is discovered.

19 Breach Breach Notification
A BA is required to conduct a risk assessment whenever a breach occurs. Documentation of the breach report and risk assessment must be created and maintained.

20 Enforcement Civil Monetary Penalties (CMP) will be imposed for violations of HIPAA based on a tiered structure with 4 levels which distinguishes the level of culpability as follows: Unknowing. The covered entity or business associate did not know and reasonably should not have known of the violation. Reasonable Cause. The covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission was a violation, but the covered entity or business associate did not act with willful neglect. Continued on next slide

21 Enforcement Willful Neglect – Corrected. The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA. However, the covered entity or business associate corrected the violation within 30 days of discovery. Willful Neglect – Uncorrected. The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA, and the covered entity or business associate did not correct the violation within 30 days of discovery.

22 Total CMP for Violations of an Identical Provision in a Calendar Year
Enforcement Below are the monetary penalties for each tier: Violation Category Each Violation Total CMP for Violations of an Identical Provision in a Calendar Year Unknowing $100 – $50,000 $1,500,000 Reasonable Cause $1,000 – $50,000 Willful Neglect – Corrected $10,000 – $50,000 Willful Neglect – Not Corrected At least $50,000

23 Closing The purpose of this training is to provide you with a basic understanding of the key concepts and requirements of business associates under the HIPAA regulations. In no way is it intended to provide you with a comprehensive or complete review of the federal regulations regarding healthcare privacy, security, breach and enforcement. As a contractor of Fields and Associates, you agree to comply with all applicable laws, rules and regulations governing the privacy and security of patient information.

24 References HIPAA Privacy Rules are contained in 45 CFR Part 160 and Part 164 subparts A&E HIPAA Security Rules are contained in 45 CFR Part 160 and Part 164 subparts A&C HIPAA Enforcement Rules are contained at 45 CFR Part 160 Subparts C-E You may search for these regulations at the link below: title45-vol1-sec

25 References Security Risk Assessment HIPAA Privacy - HHS HITECH Act
HIPAA Privacy - HHS HITECH Act orcementifr.html OMNIBUS Final Rule (pdf)

26 Make sure you complete the form at www. fieldsinc
Make sure you complete the form at to document your completion of this training.

Download ppt "HIPAA Basics November 1, 2014."

Similar presentations

The Department has declared itself to be a single covered entity. Thus, each and every one of our divisions is a covered entity and must comply with.

The Department has declared itself to be a single covered entity. Thus, each and every one of our divisions is a covered entity and must comply with.
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
An Overview for In-Home Service Providers Legal advice must be tailored to specific circumstances. Information provided in this presentation should not.

An Overview for In-Home Service Providers Legal advice must be tailored to specific circumstances. Information provided in this presentation should not.
HIPAA Training: Health Insurance Portability and Accountability Act.

HIPAA Training: Health Insurance Portability and Accountability Act.
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.

HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
CHAPTER © 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2 HIPAA, HITECH, and Medical Records.

CHAPTER © 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2 HIPAA, HITECH, and Medical Records.
1 Navigating the Privacy and Security Issues: HITECH Overview Rebecca L. Williams, RN, JD Partner Co-chair of HIT/HIPAA Practice Davis Wright Tremaine.

1 Navigating the Privacy and Security Issues: HITECH Overview Rebecca L. Williams, RN, JD Partner Co-chair of HIT/HIPAA Practice Davis Wright Tremaine.
1 TECO ENERGY, INC. HIPAA PRIVACY AND SECURITY REQUIREMENTS April 29, 2014 Dana L. Thrasher Constangy, Brooks & Smith, LLP (205)

1 TECO ENERGY, INC. HIPAA PRIVACY AND SECURITY REQUIREMENTS April 29, 2014 Dana L. Thrasher Constangy, Brooks & Smith, LLP (205)
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.

Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.

HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
H IPAA PRIVACY WORK GROUP FOR EYE BANKS EBAA HIPAA PRIVACY WORK GROUP Christina W. Strong, Esq., Facilitator.

H IPAA PRIVACY WORK GROUP FOR EYE BANKS EBAA HIPAA PRIVACY WORK GROUP Christina W. Strong, Esq., Facilitator.
© 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2.5 HIPAA Legislation and its Impact on Physician Practices 2-15 The Health Insurance Portability.

© 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2.5 HIPAA Legislation and its Impact on Physician Practices 2-15 The Health Insurance Portability.

Similar presentations

Ads by Google