Presentation is loading. Please wait.

Presentation is loading. Please wait.

Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.

Published byCharlotte Lamberth Modified over 9 years ago

Similar presentations

Presentation on theme: "Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC."— Presentation transcript:

1 Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC

2 What is the rule? State vs. Federal laws – How does that work? What goes in the Notice of Privacy Practices? What tools are available to help?

3 http://www.ecfr.gov/cgi-bin/text- idx?SID=f97320836308edcaaff61071d30ec1ba&tpl=/ecfr browse/Title45/45cfr164_main_02.tpl http://www.ecfr.gov/cgi-bin/text- idx?SID=f97320836308edcaaff61071d30ec1ba&tpl=/ecfr browse/Title45/45cfr164_main_02.tpl

4 http://www.mainelegislature.org/legis/statutes/22/titl e22sec1711-C.html

5 Health Information Technology for Economic and Clinical Health (HITECH) - 2009 Omnibus Rule - 2013 Case Law

6 MeHIMA Legal Resource Manual http://www.mehima.org/legalmanual.htm AHIMA (members) Engage/ Communities of Practice Body of Knowledge HHS – OCR General Information FAQs

7 http://www.hhs.gov/ocr/privacy/hipaa/understanding /coveredentities/index.html http://www.hhs.gov/ocr/privacy/hipaa/understanding /coveredentities/index.html

8 Gap analysis Define current state Determine goal Develop a plan to meet your goals Update and Reevaulate

9 Fully compliant Compliant, but just need to update for HITECH Partially compliant, but have a plan Partially compliant, and don’t know where to go Not sure? What is HITECH?

10 Read the rule Know the sections Don’t memorize but be familiar with the language Know your internal rule How to use your risk assessment(s)? Applicable P&P What to do if …

11 http://www.hhs.gov/ocr/privacy/hipaa/enforcement/a udit/protocol.html http://www.hhs.gov/ocr/privacy/hipaa/enforcement/a udit/protocol.html “Please be aware that the protocol has not yet been updated to reflect the Omnibus Final Rule but a version reflecting the modifications will be available in the future.” website– regarding audit tool The rule has been updated to include 78 FR 5695, January 25, 2013 (the Omnibus Final Rule)

12 If you wait until you are audited its too late … Create documents that comply with each performance criteria Risk Analysis Create practical P&Ps (cite the rule in the policy e.g. 45 CFR §…) Create a table of contents or summary log Publish internally Train your workforce and other applicable people Give people access to the tools as necessary

13

14 Section Established performance criteria Key activity Audit Procedures What questions auditors are likely to ask? Implementation Specification Required vs. Addressable (need documentation and support) HIPAA compliance area Breach, security, or privacy

15 Conduct Risk Assessment (Security and Privacy) Audit only looks to security IT Systems and Services security - capability Purchase equipment Certified eMR P&P (monitor activity) Reduce Risks (identified in risk assessment) Risk Management

16 Assign Security Responsibility Select a security officer Define and document duties Workforce security Establish access and supervision Role based security Limit access to need to know Clearance process Access termination process Information Access P&P related to access When, who, how long, etc. Consistent with the rules

17 Train (everyone) Plan and strategy When Who What (log-in, password management, organizational tools, etc.) Document

18 Response plan Identify Investigate Correct Mitigate Contingency Plan Disaster Recovery Data Backup Emergency Operations Plan Test and Revise

19 Maybe internal or external Look at entire system (document method) Document Make changes as necessary Rinse and Repeat

20 Assess Create/Document/Develop/Approve Implement Monitor Respond

21 HITECH requires BAs to be bound by HIPAA – CEs still need BAAs BAA Updated to reflect Jan. 25, 2013 http://www.hhs.gov/ocr/privacy/hipaa/understanding/c overedentities/contractprov.html http://www.hhs.gov/ocr/privacy/hipaa/understanding/c overedentities/contractprov.html

22 Protect the place where the information is kept Card access, etc. HR and safety issues can also be addressed here Address emergencies, maintenance, housekeeping, etc. Identify Workstations Access Surroundings Proper purpose and use

23 Disposal of PHI including ePHI Assign accountability Backup, storage, disposal, everything related to media devices Mobile and remote access devices

24 Assess need and capabilities (patients have a right to get information in electronic form) Encryption Addressable? Unique identifier for each user Technical controls Emergency Access Auto log off and other security related issues

25 Use system to audit activity Track specific activities based on risk (e.g. break the glass) Document process and audit results

26 Integrity Protect information Track modifications Determine methods for proper authentication Methods to properly authenticate ePHI Addressable Legal risk Transmission security Data sent from the organization

27 Risk Assessment Define the process (what constitutes a low risk of compromise) http://library.ahima.org/xpedio/groups/public/docume nts/ahima/bok1_050335.hcsp?dDocName=bok1_050335 http://library.ahima.org/xpedio/groups/public/docume nts/ahima/bok1_050335.hcsp?dDocName=bok1_050335 Notification Individual Others as applicable

28 45 CFR §164.502 General Rule (a) Standard. A covered entity or business associate may not use or disclose protected health information, except as permitted or required by this subpart or by subpart C of part 160 of this subchapter. Notice of Privacy Practices (NPP) 45 CFR §164.520 Notice of privacy practices for protected health information. Defines your HIPAA rules

29 Training Sanctions Protect data Mitigate damages Non-retaliation Process for things listed in NPP (Accounting of disclosures, opt. out, copies of records, amendment, restrictions, etc.)

30 http://www.ecfr.gov/cgi-bin/text- idx?SID=f97320836308edcaaff61071d30ec1ba&tpl=/ecfr browse/Title45/45cfr164_main_02.tpl (45 CFR § 164, retrieved 8/6/2014) http://www.ecfr.gov/cgi-bin/text- idx?SID=f97320836308edcaaff61071d30ec1ba&tpl=/ecfr browse/Title45/45cfr164_main_02.tpl

Download ppt "Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC."

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna 412-396-4419.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.

2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
HIPAA Security Risk Overview Lynne Shoemaker, RHIA, CHP, CHC OCHIN Integrity Officer Daniel M. Briley, CISSP, CIPP Summit Security Group.

HIPAA Security Risk Overview Lynne Shoemaker, RHIA, CHP, CHC OCHIN Integrity Officer Daniel M. Briley, CISSP, CIPP Summit Security Group.
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.

Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.
Privacy, Security, Confidentiality, and Legal Issues

Privacy, Security, Confidentiality, and Legal Issues
Karen D. Smith, Esq. Partner Bricker & Eckler LLP 100 S. Third Street Columbus, OH 43215 (614) 227-2313.

Karen D. Smith, Esq. Partner Bricker & Eckler LLP 100 S. Third Street Columbus, OH (614)
1 HIT Standards Committee Privacy and Security Workgroup: Recommendations Dixie Baker, SAIC Steven Findlay, Consumers Union August 20, 2009.

1 HIT Standards Committee Privacy and Security Workgroup: Recommendations Dixie Baker, SAIC Steven Findlay, Consumers Union August 20, 2009.
Your HIPAA rules Ben Burton, JD, MBA, RHIA, CHP, CHC Notice of Privacy Practices.

Your HIPAA rules Ben Burton, JD, MBA, RHIA, CHP, CHC Notice of Privacy Practices.
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
Security Controls – What Works

Security Controls – What Works
Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 1 HIPAA Learning Module The following is an educational Powerpoint presentation on the.

Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.

Similar presentations

Ads by Google