1 / 28

HIPAA Privacy & Security Overview

HIPAA Privacy & Security Overview. Know HIPAA Presents. Agenda. HIPAA Overview Privacy Practices Security definitions Security standards Security safeguards Security incidents Sanctions Breach notification Enforcement update. Overview of HIPAA. HIPAA. Title I — Health. Title II —.

kadeem
Download Presentation

HIPAA Privacy & Security Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA Privacy & Security Overview Know HIPAA Presents

  2. Agenda • HIPAA Overview • Privacy Practices • Security definitions • Security standards • Security safeguards • Security incidents • Sanctions • Breach notification • Enforcement update

  3. Overview of HIPAA HIPAA Title I — Health Title II — Title IV — Group Title III — Tax- Care Access, Preventing Title V — Health Plan Related Health Portability and Health Care Revenue Offsets Requirements Provisions Renewability Fraud and Abuse We Focus on This Portion of HIPAA only. Subtitle F — Administrative Simplification Employer Identifier Electronic Information Unique Code Sets Privacy Security Identifiers Transactions

  4. Who Does HIPAA Impact? • Covered Entities - Must Comply #1 – Health care providers #2 - Group health plans (fully or self-insured employer sponsored plans & health insurance issuers) #3 - Clearinghouses • Business Associate - Should Comply #4 – Firms working with covered entities. Examples include Billing Services, Transcription Services, TPA’s, brokers

  5. Protected Health Information (PHI)Individually Identifiable Health Information • Protected Health Information (PHI) is information relating to past present or future physical or mental health of an individual (employee) whether they are active or terminated. • Individually Identifiable PHI is that which identifies an individual. This could include: name, address, date of birth, Social Security number, telephone numbers, e-mail address, account numbers, Group Health Plan beneficiary number, or any other unique identifying number, characteristicor code.

  6. Privacy Rule • Applies to paper/oral/electronic records • Sets boundaries on the Use and Disclosure of health information • Gives “individuals” more control over their own health information • Establishes safeguards for protecting the privacy of health information. • Holds covered entities accountable for violations of privacy requirements.

  7. Privacy Regulation Some requirements that a covered entity must comply with include, but is not limited to the following: • Designating a Privacy Official. • Designating a Contact for handling Complaints. • Developing policies and procedures on the use and disclosure of individually identifiable health information. • Providing training to all workforce members on the policies and procedures that affect their job duties. • Providing a Notice of Privacy Practices to individuals

  8. How Does Covered Entity Use Protected Health Information? • They share this information with other healthcare providers. They are permitted to use and/or disclose information for treatment, payment or health care operations without getting permission from an individual. • To use information for any other reason or to disclose it to any one other than the patient or Covered Entity may require a signed and verified authorization.

  9. Authorizations • What is an authorization • When is it used

  10. Other Aspects of HIPAA Administration • Individual has the right to access their protected health information, receive an accounting, amendment their protected health information, file a complaint, request confidential communications or restrict access to their protected health information.

  11. Confidentiality • All Covered Entity employees that have access to protected health information agree that at no time, during or after their employment with Covered Entity, will they use, access or disclose protected health information to anyone except as required or permitted in the course and scope of their duties. • Unauthorized use/disclosure may result in disciplinary action up to and including termination. • Civil or criminal penalties may also apply.

  12. Safeguards Covered entities must implement appropriate safeguards to protect an individual’s protected health information. • Remember to do the following: • Records that contain protected health information should be maintained in a secure location or locked away. • Records that contain protected health information should be shredded before discarding the information. • Passwords should not be shared with anyone. Electronic protected health information needs to be safeguarded as well.

  13. HIPAA Security • May 21, Purdue University • May 21, Jackson Community College (Michigan) • May 19, Westborough Bank (Florida) • May, Business Week On-line forum • May 14, MTSU • May 5, Wharton school (MSU) • May 2, Time Warner • April 28, Bank of America, Commerce Bankorp, PNC Bank • April 21, Carnegie Mellon University • April 20, AmeriTrade • April 8, San Jose Medical Group • March 28, University of California, Berkley • March 20, Kellogg MBA program • March 17, Boston College • March 17, Chico State University • March 16, Kaiser Permanente • March 8, DSW • March, LexisNexis (Seisint) • February 15, Bell v. Michigan Council 25 • February, Bank of America • February, Choice Point • February, PayMaxx • November, Wells Fargo • November, Gibson Sentencing US District Court • November, Minneapolis School District

  14. What is Electronic PHI? Individually identifiable health information: • Transmitted by electronic media • Maintained in electronic media • Transmitted or maintained in any other form or medium

  15. Security Standards • Only those that need access • Physical access • Technical access • The covered entity is responsible for the confidentiality, integrity and availability of EPHI • The covered entities safeguards are the first line of defense

  16. Security Standards - General rules • Must have Policies & Procedures • Security measures are appropriate and reasonable • Considerations: • Size • Complexity • Mission • Purposes of the EPHI created, maintained and transmitted

  17. Security Management Process • Risk Analysis • Risk Management • Sanction Policy • Information System Activity Review

  18. Safeguards • Workforce security • Information access • Facility Security plan • Workstation use • Device & Media controls • Access controls (technical) • Administrative requirements

  19. Security Awareness • Training • Security reminders • Protection against malicious software • Password management

  20. Contingency Plans(Availability) • Data backups • Disaster recovery • Emergency operation plan • May have • Critical applications and data • Testing and revisions

  21. Workforce Security Training • Who • When • New employees or contractors • Due to changes

  22. Events requiring action • Security Incidents • Sanctions • Breach Notification

  23. Security Incidents • What are they? • What should you do? • Actions depend on the incident • Who was responsible, third party? • Are Sanctions required?

  24. Sanctions/Violations • Workforce members who violate health plans Privacy or Security Policies may be subject to disciplinary actions, up to and including termination. • The amount and type of corrective action used in any particular situation will depend on the facts and circumstances. The company maintains the discretion to determine whether corrective action is appropriate.

  25. Specifics • Notification to individuals • Notification to the media • Notification to the Secretary • Notification by a business associate • Law enforcement delay • Burden of proof

  26. Guidance & Enforcement • Annual guidance regards technology • Random audits • Reports to congress • Increased fines • 2013 changes

  27. The price for non-compliance: Why Comply?

  28. ? Questions

More Related