HIPAA   A Refresher Course

HIPAA A Refresher Course PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

Download Presentation

HIPAA A Refresher Course

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

1. 1 HIPAA – A Refresher Course Michael J. Schoppmann, Esq. Kern Augustine Conroy & Schoppmann, P.C.

2. 2 HIPAA: The Health Insurance Portability and Accountability Act of 1996

3. 3 HIPAA Risk Management and Prevention

4. 4 HIPAA - “Administrative Simplification” Privacy Electronic Transactions and Code Sets National Provider Identifier Security

5. 5 HIPAA Privacy Requires Safeguards in place: Administrative Physical Technical

6. 6 HIPAA Privacy Should already have in place: Privacy Notice HIPAA compliant authorizations Policy & Procedure Manual Business Associates Contracts

7. 7 HIPAA Electronic Transactions and Code Sets Rule Deadline was October 23, 2003 YOUR responsibility NOT vendors Move toward electronic billing is economically mandated

8. 8 HIPAA Electronic Transactions and Code Sets Compliance Checklist Software Vendors Software HIPAA Compliant? Any changes needed (additional fields or removal of fields)? HIPAA Compliance/Certified in writing?

9. 9 HIPAA Electronic Transactions and Code Sets Compliance Checklist Health Plans and Payors HIPAA Compliant? Instruction Manuals or “Companion Guides” Issued? Trading Partner Agreement issued? HIPAA Compliance/Certified in writing?

10. 10 HIPAA National Provider Identifier Used to coordinate with billing services, vendors, and clearinghouses, and payers. Must also be shared with other providers, health plans, clearinghouses, and any entity that may need it for billing purposes.  All providers should have already obtained NPI’s pursuant to federal law. CMS has provided guidance on how to keep NPPES passwords and information updated and protected.

11. 11 HIPAA Security: Cited Purpose To ensure: Confidentiality Integrity, and Availability of PHI

12. 12 HIPAA Security: Scope All Electronic Protected Health Information (EPHI) versus Privacy which covers paper, oral, AND electronic PHI Data in motion AND at rest – Stored data and transmitted data Protects against reasonably anticipated Threats or Hazards to Security or Integrity of PHI

13. 13 HIPAA Security: Compliance Checklist Assess current security, risks and gaps Develop an implementation plan Implement solutions Document Solutions Reassess periodically

14. 14 New HIPAA – The HITECH Act Title XIII of the American Recovery & Reinvestment Act of 2009 (ARRA) Health Information Technology for Economic & Clinical Health Act Enacted Feb. 17, 2009; Majority effective Feb. 17, 2010

15. 15 New HIPAA – The HITECH Act Promotes EHRs Expands HIPAA privacy & security requirements and protections Increases penalties New Data Breach Notification requirement

16. New HIPAA - Overview Right to Access PHI Minimum Necessary Requested Restrictions Marketing Disclosures Accounting Sale of PHI Extension to BAs Breaches Penalties 16

17. 17 New HIPAA - HITECH If CE uses EHR – Patient right to electronic copy of records Right to direct CE to transmit electronic copy to third party Minimum Necessary – preference now for Limited Data Sets; de-identified data Patient can restrict disclosure of PHI to health plans for self-pay services

18. 18 New HIPAA - HITECH Exceptions to use of PHI for marketing no longer applicable where CE is remunerated (limited exceptions) Patient right to accounting of routine disclosures, including TPO, if CE uses an EHR CE/BA cannot sell PHI without specific patient authorization (limited exceptions)

19. 19 New HIPAA – HITECH – Business Associates BAs now directly regulated; not just through BA agreements Must comply with Security Rule’s administrative, physical & technical safeguards and documentation requirements Subject to additional privacy & security HITECH provisions applicable to CEs

20. 20 New HIPAA – HITECH – Business Associates Address new requirements in new BA agreements Wait for guidance before amending existing BA contracts But give BAs notice of new obligations, including data breach notice requirements and timeframes

21. 21 New HIPAA – HITECH – Data Breach Applies to unsecured PHI Breach notification required of CEs and BAs Effective 9/23/09; enforced 2/2010 Regulations define breach, timeframe for notice, content of notice, mitigation State laws also apply

22. 22 New HIPAA – HITECH – Penalties Increased penalties for HIPAA violations, immediately effective BAs now also subject to civil and criminal enforcement Tiered penalties based on fault and corrective action $100/violation if “innocent” Up to $50,000/violation if willful neglect and uncorrected

23. 23 New HIPAA – HITECH – Penalties State AG can bring civil suit under HIPAA CMPs shared with harmed persons Individuals—not just CEs—can be criminally prosecuted HHS must conduct HIPAA compliance audits

24. 24 HIPAA Snapshot Audit If you answer any of the following statements “False” you may need to change office procedures.

25. 25 HIPAA Snapshot Audit 1. My office does not use a patient sign in sheet that includes confidential patient information. _____ True _____ False

26. 26 HIPAA Snapshot Audit 2. My office does not place patient schedules in any places that may be seen by patients or other non-staff individuals. _____ True _____ False

27. 27 HIPAA Snapshot Audit 3. In my office, all confidential conversations take place to the maximum extent possible in areas that cannot be overheard by other patients or non-staff individuals. _____ True _____ False

28. 28 HIPAA Snapshot Audit 4. In my office patients and non-staff individuals cannot gain access to our computers or fax machines and cannot view our computer screen ______ True _____ False

29. 29 HIPAA Snapshot Audit 5. Each computer user in my office has a personal computer password, these passwords change on a regular basis, and passwords of terminated employees get deleted immediately. _____ True _____ False

30. 30 HIPAA Snapshot Audit 6. In my office patients and other non-staff individuals do not have any opportunity to access patient medical records, laboratory reports, and faxes. _____ True _____ False

31. 31 HIPAA Snapshot Audit 7. My office has formal documented procedures to ensure patient confidentiality when transferring to other offices paper files, orders, images, and specimens. _____ True _____ False

32. 32 HIPAA Snapshot Audit 8. My office has formal documented procedures for the acceptance of confidential patient information from outside of our office. _____ True _____ False

33. 33 HIPAA Snapshot Audit 9. My office has confidentiality statements in place and we make patients aware of our confidentiality policies. _____ True _____ False

34. 34 HIPAA Snapshot Audit 10. My office has formal privacy and security procedures regarding access to confidential information, access to computer information, and access to areas of the office that may contain confidential information. _____ True _____ False

35. 35 HIPAA Snapshot Audit 11. My office requires the return of all keys and other items that allow access to the office and to computer files when a person no longer is authorized to access information. _____ True _____ False

36. 36 HIPAA Snapshot Audit 12. My office has formal privacy and security policies for all office personnel, training for all office personnel, and the training of each individual is documented. _____ True _____ False

37. 37 HIPAA Snapshot Audit 13. If my office uses laptops or other portable equipment that holds confidential patient information, this equipment is secure and can only be accessed by authorized personnel. _____ True _____ False _____ NA

38. 38 HIPAA Snapshot Audit 14. My office has policies and procedures in place to ensure patient confidentiality by off-site contractors, such as billing and accounting services. _____ True _____ False

39. 39 HIPAA Snapshot Audit 15. My office has a comprehensive survey of all of our computer systems, including all software. _____ True _____ False

40. 40 HIPAA Snapshot Audit 16. My office has a disaster plan to protect patient information, contingency plans in the event of a computer systems failure, perform regular virus checks, and corrects any identified problems. _____ True _____ False

41. 41 HIPAA Snapshot Audit 17. All confidential information – paper and electronic – is stored with appropriate safeguards. _____ True _____ False

42. 42 HIPAA Snapshot Audit 18. Internet transmissions, including e-mail, and telephone conversations are secure. _____ True _____ False

43. 43 HIPAA Snapshot Audit 19. My office has confidentiality statements on all faxes and e-mail sent by the office staff. _____ True _____ False

44. 44 Conclusions “Compliance” must be new focus Incorporate all new HITECH requirements Be involved Be vigilant Be careful

45. 45 Questions & Conclusions

  • Login