Download presentation
Presentation is loading. Please wait.
Published byMadeline Morgan Modified over 9 years ago
1
The Implementation of HIPAA Joan M. Kiel, Ph.D., C.H.P.S. Duquesne University Pittsburgh, Pennsylvania
2
HIPAA Parts HIPAA: 6 of 11 Parts Released: Transactions & Code Sets [2002] Privacy [2003] Unique Identifier- Employer [2004] Security [2005] Enforcement [2006] Unique Identifier – Provider (NPI) [2007]
3
HIPAA Parts HITECH: Health Information Technology for Economic & Clinical Health Act [2/2010] HIPAA Compliance Audit Protocol [7/2012] HIPAA “MegaRule” [1/25/2013]
4
HIPAA Personnel Role Privacy Person [45CFR164.530(a)(1)(i)] Security Person [45CFR164.308(a)(2)] The Federal Government mandates that covered entities have both a privacy person and a security person. This person(s) implements and manages the previously mentioned policies
5
What Needs to Be Done For each of the policies, the HIPAA person will do the following 11 items. This is an ongoing process as an item is truly never done; just like your other work.
6
1. HIPAA Committee Representatives from health services and medical records, information technology, management, finance, and policy.
7
2. Policies & Procedures For the six HIPAA Rules to date, develop policies from the law, not secondary sources The laws are released in the Federal Register
8
3. Training & Awareness Live or on-line, but must be ongoing Staff meeting awareness Payroll stuffers/emails as awareness Integrate awareness to daily activities
9
4. Documentation Documentation must be retained for six years Critical with July 2012 HIPAA Compliance Audit Protocol & MegaRule
10
5. Risk Assessments & Audits Quarterly Authentication: most likely passwords Data integrity checks Have a policy and process to act on the findings
11
6. Complaint Process People need to be aware of how to file a complaint; thus, post process to file complaints Complaints are only to be HIPAA related Have a policy & process to act on the complaints
12
7. Sanction Process Sanction only for the HIPAA violation Internal investigation and/or OCR Civil and criminal penalties per Enforcement Rule Follow-up on the sanction and charge
13
8. Web Site If the covered entity has a web site, the Notice* of Health Information Privacy Practices must be prominently displayed on the web site. Keep the web site updated * Notice as of February 2009 & MegaRule – July 15, 2014
14
9. Formage Develop forms from the laws. May or may not be able to use from other covered entities (ie. addressable Security Rule policies) Educate staff on the formage
15
10. Business Associate Agreements Assess all those external to the workforce who have access to the covered entity’s PHI Both the Privacy Rule & the Security Rule cover BAA’s. HITECH & MegaRule brought tougher BAA requirements
16
11. Research Play an integral role with the covered entity’s Institutional Review Board Ensure minimum necessary standards for data used in research Look for changes in 2013 or 2014
17
Summary Position outlined by the Six Rules of HIPAA that have been released; stay informed on changes and upcoming Rules Communication Organization Keep current
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.