1 / 34

Your Keys to Compliance: From HIPAA to Meaningful Use

Your Keys to Compliance: From HIPAA to Meaningful Use. Virginia Brooks VHIT Director Mark Watson Director, Hancock, Daniel, Johnson & Nagle, PC January 15, 2014. Today’s Presentation. Focus on Privacy & Security Know the Rules Meaningful Use Risk Assessment Be Prepared

akira
Download Presentation

Your Keys to Compliance: From HIPAA to Meaningful Use

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Your Keys to Compliance:From HIPAA to Meaningful Use Virginia Brooks VHIT Director Mark Watson Director, Hancock, Daniel, Johnson & Nagle, PC January 15, 2014

  2. Today’s Presentation • Focus on Privacy & Security • Know the Rules • Meaningful Use • Risk Assessment • Be Prepared • How Can VHIT Help You?

  3. Why Focus on Privacy & Security? • Key to building patients’ trust • Important for patient safety • Essential for realizing full benefits of EHRs • Avoid penalties for breaches • Necessary to comply with federal, state and local laws

  4. HIPAA & HITECH Act • Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects confidentiality and privacy of healthcare information • American Recovery and Reinvestment Act of 2009 (“stimulus package”) of 2009 includes Health Information Technology for Economic Clinical Health (HITECH) Act • Promotes adoption of EHRs by offering Medicare & Medicaid incentives to physicians demonstrating Meaningful Use

  5. Be Advised This presentation is for informational purposes only and is not intended to suggest or offer legal advice.

  6. Know the Rules • How do the new HIPAA regulations change things? • Updated terms/standards on: • Notice of privacy practices • Business associate agreements (and business associates) • Breach notification • Patient requests for restrictions • Access rights for patients • Marketing • Sale of PHI, Research, PHI of decedents, and more ...

  7. Know the Rules • Notices of Privacy Practices • Must state authorization typically required for: • most uses and disclosures of psychotherapy notes • most uses and disclosures for marketing • most uses of PHI • Must include statement on right to breach notification

  8. Know the Rules • Notices of Privacy Practices • Has your NPP been updated regarding requested restrictions?

  9. Know the Rules • Business Associates • HIPAA rule now includes entities and individuals that create, receive, maintain or transmit health information on behalf of the covered entity • Prior definition applied only to entities and individuals that used or disclosed health information

  10. Know the Rules • Business Associates • “Conduit” exception • Regulatory comments say it’s narrow to exclude “only those entities providing mere courier services” such as the post office and ISPs. • Random or infrequent access to PHI doesn’t eliminate the “conduit” exception, BUT • If the entity requires access regularly, or is involved in something other than just transmission, the conduit exception doesn’t apply

  11. Know the Rules • Business Associates • “Conduit” exception cont’d • Data storage company ( digital or hard copy) is a BA even if it does not view the information • Document disposal company is a BA even if it does not view the information • BAAs should address subcontractors

  12. Know the Rules • Business Associates • Timing for updates / changes • New arrangements on or after Jan. 25, 2013, new BAA standards apply • If the arrangement was in place before Jan. 25, 2013 and isn’t modified or renewed between March 26, 2013 and Sept. 23, 2013 – you have until Sept. 22, 2014 • If the arrangement is modified or renewed after March 26, 2013 – new BAA standards apply

  13. Know the Rules • HIPAA • Security Rule: establishes requirements for protecting electronic PHI • Confidentiality / Integrity / Availability • Physical / Technical / Administrative Safeguards • Develop and maintain policies and procedures • Back up / disaster recovery / emergency plans • Risk Assessment • Record incidents

  14. Know the Rules • HIPAA • Breach Notification Rule: unauthorized acquisition, access, use or disclosure of PHI which compromises the security or privacy of the information • Prior regulations defined a “Breach” as a compromise involving a significant risk of financial, reputational or other harm

  15. Know the Rules • Breach • “Risk” criteria has technincally been eliminated, BUT • Situation may not be a “compromise” if the CE or BA demonstrates that there is a “low probability” that the PHI has been compromised

  16. Know the Rules • Breach • “Compromise” assessment based on: • The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification • The unauthorized person who used the PHI or to whom disclosure was made • Whether the PHI was actually acquired or viewed • The extent to which the risk to the PHI has been mitigated

  17. Know the Rules • HITECH Act changed things • CEs are required to agree to requests for restrictions in certain cases • New regulations finalize these standards • CEs must agree to restrict disclosure of PHI to a health plan if • The disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law • The PHI pertains solely to a health care item or service for which the individual, or someone other than the health plan, has paid in full

  18. HITECH Civil Monetary Penalties

  19. Know the Rules Access to ePHI • If ePHI is in a designated record set and the individual requests an electronic copy, the CE must provide the individual with access in the electronic form and format requested by the individual, if it is readily producible in such form and format; or, if not, in a readable electronic form and format as agreed to by the covered entity and the individual

  20. Know the Rules Marketing • Has always required authorization, But • Has also included “carve outs” for communications to describe other services by the CE and for case management/care coordination • New regulations include similar terms, but many carve outs do not apply where the CE receives “ financial remuneration” • Financial remuneration means direct or indirect payment from or on behalf of a third party whose product is being described

  21. Know the Rules Sale of PHI • Strict prohibition on sale of PHI without authorization with limited exceptions • Authorization must state that the disclosure will result in remuneration to the CE • Sale does not include (i.e. authorization isn’t required) for: • Research • The sale or transfer of all or part of the CE and related due diligence

  22. Action Items • Review and update your policies and procedures, including: • Breach notification • Requests for restrictions • Access rights • Marketing? • Research? • Sale of PHI? • Decedents? • Immunization records?

  23. Action Items • Are other updates/revisions appropriate? • Are your security policies, procedures and actual security measures appropriate?

  24. Enforcement Examples • Rite Aid (2010) • Improper disposal of prescriptions and pill bottles • $1 million settlement, CAP, training for employees • Massachusetts General (2011) • Employee took billing encounter forms home; 192 paper records lost • OCR settlement for $1 million, 3 year CAP • Phoenix Cardiac Surgery (2012) • Patient appointments posted on Internet-based calendar • Practice implemented few policies/procedures, limited safeguards • OCR settlement for $100,000

  25. Meaningful Use Standards for Privacy & Security • HITECH promotes adoption of EHRs by offering Medicare & Medicaid incentives to physicians demonstrating Meaningful Use • MU Core Objectives require providers to protect health information created and maintained by an EHR. • Having an ONC certified EHR vendor is not enough

  26. Data Security Safeguards • Conduct security risk analysis • Perform a thorough compliance audit • Safeguards may include: • Documented policies and procedures that govern physical and environmental security of data, to include firewalls and more • Visitors are authenticated and escorted at all times, and there are detailed records of visits • Mobile devices are vulnerable and require much more than password or PIN to be secure

  27. Safeguards Continued • Secure areas are physically protected, such as monitoring by a receptionist, and security by locked doors and cameras • Keys and combinations are password protected or otherwise secure, and locks are changed when keys are lost or stolen and when employees are terminated • Adequate fire detectors exist and powered by an independent energy source • And many more safeguards …

  28. Risk Assessment vs. Risk Analysis • Risk assessment must be completed per HIPAA Security Rules to address reasonably anticipated risks to protect health information • Risk analysis of EHR environment for Meaningful Use is necessary per HITECH to assess damage related to Breach Notification

  29. Perform a HIPAA Risk Assessment Top 5 Privacy Issues Identified by OCR: • Impermissible uses and disclosures • Insufficient safeguards of PHI • Failure to provide patient access to PHI • Use/disclosure of more than minimum necessary PHI • Insufficient notice to patients of use/disclosure of PHI

  30. Resources are Available • Risk Analysis Now = Future Time + Savings • Checklists & self-help tools can help you get ready • Thorough risk analysis that will pass a compliance review requires expert knowledge • VHIT is ready to help you!

  31. How VHIT Will Help • Privacy & Security Risk Assessment • Verify physical, administrative and technical safeguards • Verify current Privacy & Security policies and procedures, BAA agreements, and business contingency plan • Risk mitigation plan based on findings

  32. What You Will Get • Privacy & Security Risk Assessment results in hard copy and CD-ROM • Policy templates and supporting documents • Additional materials, including incident logs, cyber security tips, and FAQ tip sheets • HIPAA/HITECH Security training certificates

  33. VHIT Expertise and Experience • A Top 5 Regional Extension Center • Supporting 4,000+ providers • Helped 2,200+ qualify for federal EHR incentive payments • Uniquely qualified

  34. Questions / Contact Us • Virginia Brooks, MHA, CPHQ (804) 289-5343 vbrooks@vhqc.orghttp://vhitrec.org • Mark C. Watson, JD (866) 967-9604 mwatson@hdjn.comhttp://hdjn.com Hancock, Daniel, Johnson & Nagle, P.C.

More Related