Presentation is loading. Please wait.

Presentation is loading. Please wait.

Building a Blueprint for HIPAA HITECH Privacy and Security Compliance PACHC October 7, 2015 Lancaster, PA.

Published byMarybeth Thomas Modified over 9 years ago

Similar presentations

Presentation on theme: "Building a Blueprint for HIPAA HITECH Privacy and Security Compliance PACHC October 7, 2015 Lancaster, PA."— Presentation transcript:

1 Building a Blueprint for HIPAA HITECH Privacy and Security Compliance PACHC October 7, 2015 Lancaster, PA

2 Learning Objectives 1.Recognize critical security and privacy risks affecting organizations serving underserved communities. 2.Determine how to perform a risk assessment and develop a Risk Management Strategy. 3.Understand the critical success factors in building an organizational culture of privacy and security compliance.

3 Health Care Transformation Requires Security and Privacy Integration 3 New technologies New Care Models Growing Consumer Engagement HIPAA Requirements and Penalties Meaningful Use Requirements OCR Audits for HIPAA Compliance HITECH Act Transparency, Reporting Requirements Increased Regulatory Scrutiny

4 Connected Clinicians and Consumers 4

5 ePHI EMR /PHR Payers HIEs ACOs Rev Cycle/ 3rd Party Billing Clinicians Consumers Big Data/ Analytics Employers Other Health Systems Electronic healthcare interactions involve more data from multiple sources

6 6

7 What is the greatest risk? 75% of organizations say the greatest risk to security and privacy of patient information is employee negligence.

8 Phishing season Healthcare organizations are 74% more likely to receive phishing e-mails than other industries.

9 PHI DATA BREACH IS LURKING “If you think compliance is expensive, try noncompliance.” “If you think compliance is expensive, try noncompliance.” - Paul McNulty, Former U.S. Deputy Attorney General

10 2 HIPAA Guidance Can Be Overwhelming Risk Assessment Encryption Mobile Media Breach Notification Fines Audits Authentication HIPAA Privacy Business Associates Access Control Disaster Recovery Confidentiality Integrity Availability Patient Access Risk Management Contingency Planning

11 Needed: Step-by-Step Risk Management Risk AnalysisGap Analysis RemediationMonitoring Execution BAAs Access Control Training Contingency Planning Encryption etc Execution BAAs Access Control Training Contingency Planning Encryption etc Team Management Human Resources Facilities IT Services Staff Team Management Human Resources Facilities IT Services Staff Plan Policies Procedures Implementation Monitoring Plan Policies Procedures Implementation Monitoring

12 Assess Organization readiness and compliance Prioritize and mitigate security and privacy risks and gaps Prioritize and mitigate security and privacy risks and gaps Develop an ongoing security and privacy program including policies and training Develop an ongoing security and privacy program including policies and training A Simplified prioritized approach to security and privacy compliance Risk Assessment Gap Analysis Remediation and Monitoring

13 Guided Questions Yes/No only. No ambiguity! Built-in help, integrated training Quickly move from Assessment to Action 13 Rapid Risk Analysis: Quick How Am I Doing Diagnostic

14 Expert-guided Priority based on Risk, Cost and Impact Built-in help, integrated training Accommodates varying organizational Goals and Objectives 14 Gap Analysis: Prioritize Risks to Focus on What’s Important

15 Rapid Risk Remediation: Mitigate Risks and Develop Required Documentation Detailed Task- by-Task Work plan Simple Workflow Web and email integration Task ownership and scheduling Self- documenting 15

16 Who is my BA?

17 Who are Business Associates? Healthcare EntityBusiness Associate Comment Claims ClearinghousenoCovered entity Hospital SystemsnoCovered entity Health Information Exchangeyes IT Service Provideryes Reference labnoCovered entity Radiology Service ProvidernoCovered entity Referring/Referred to Provider (any specialty) noCovered Entity Answering Serviceyes Commercial InsurerNo/YesCovered Entity/if adm self-insured benefit plan LawyeryesIf litigating patient cases Accounting FirmyesIf reviewing/managing claims data Off-site Med Records Storage Facility yes Housekeeping ServicenoIncidental contact with PHI

18 The Ten BAA Essentials BAA Essentials 1.Establish Permitted Uses and Disclosures. 2.State BA will not use or disclose PHI for reasons not permitted or required. 3.Require BA implement HIPAA safeguards to prevent unauthorized use or disclosure. 4.Require BA to report to CE unauthorized use or disclosure. 5.Require BA to disclose PHI to satisfy CE’s obligation to provide individuals access to their PHI, for amendments, and accountings. 6.Require BA to comply with CE’s Privacy Rule obligations, as agreed. 7.Require BA to make available to HHS information needed to show CE’s compliance with HIPAA. 8.At the termination of the contract, require BA to return or destroy the PHI. 9.Require BAs ensure their subcontractors agree to the same provisions as the BA agreed. 10.Authorize the termination of the contract if BA violates any material term, (i.e. #’s 1-9).

19 Business Associate Essentials Have a Business Associate Agreement. Know your Business Associates. How are they protecting PHI? Know what PHI your Business Associates access.

20 Top Risk Areas That you should CONSIDER And MITIGATE 1.Do you have a complete and up-to-date set of security and privacy policies? 2.Do you have an inventory that identifies the devices, network and software that process, store and transmit PHI? 3.Have you conducted a risk assessment in the past 12 months and acted on it? 4.Do you have business associate agreements in place with all BAs you share PHI with? 5.Do you have a Business Continuity plan in place in case of a disaster or breach? 6.Do you conduct required security and privacy awareness training? 7.Is all patient information encrypted on mobile devices? 8.Do you have a documented policy for granting, changing or terminating PHI access? 9.Have you designated one person as security officer in your organization? 10.Do you track who has been assigned/has access to mobile devices, keys and physical tokens?

21 Increase Security Literacy: Support Your Staff in Understanding their Role in HIPAA HITECH Compliance Who Employees (full-time, part-time, temp) with access to PHI (electronic or paper) When Onboarding new employees Supplemental training throughout the year (targeted reminders, or new job duty, new policy, new procedure, new technology, a security incident ) Annual review of general HIPAA concepts How Onsite – classroom training Virtual – elearning (videos, interactive online training software, kiosk) Email, posters, flyers

22 22 Thank You!!

23 Anna Gard, RN, FNP-BC Health IT and Quality Consultant DPM Healthcare Consulting gardanna@gmail.com Adam Bullian, JD Director QiP Solutions abullian@qipsolutions.com

Download ppt "Building a Blueprint for HIPAA HITECH Privacy and Security Compliance PACHC October 7, 2015 Lancaster, PA."

Similar presentations

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
The Department has declared itself to be a single covered entity. Thus, each and every one of our divisions is a covered entity and must comply with.

The Department has declared itself to be a single covered entity. Thus, each and every one of our divisions is a covered entity and must comply with.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
Steps to Compliance: Managing Business Associates PRESENTED BY.

Steps to Compliance: Managing Business Associates PRESENTED BY.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.

Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna 412-396-4419.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.

Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
Forming Your HIPAA Compliance Plan PRESENTED BY. Daniel B. Brown, Esq. Healthcare Attorney Taylor English Duma LLP Jason Karn Director Training and IT.

Forming Your HIPAA Compliance Plan PRESENTED BY. Daniel B. Brown, Esq. Healthcare Attorney Taylor English Duma LLP Jason Karn Director Training and IT.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

Similar presentations

Ads by Google