hipaa compliance and electronic records n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
HIPAA Compliance and Electronic Records PowerPoint Presentation
Download Presentation
HIPAA Compliance and Electronic Records

Loading in 2 Seconds...

play fullscreen
1 / 50

HIPAA Compliance and Electronic Records - PowerPoint PPT Presentation


  • 112 Views
  • Uploaded on

HIPAA Compliance and Electronic Records. Welcome. Introduction. Dennis M. Walsh, President Patriot Networks, Inc. dwalsh@patriotnetworks.com www.patriotnetworks.com/hipaa Sources: 4MedApproved web site HHS.gov web site. Course Overview. HIPAA Overview What is the HIPAA Privacy Rule

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'HIPAA Compliance and Electronic Records' - keiji


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
introduction
Introduction

Dennis M. Walsh, President

Patriot Networks, Inc.

dwalsh@patriotnetworks.com

www.patriotnetworks.com/hipaa

Sources: 4MedApproved web site

HHS.gov web site

course overview
Course Overview

HIPAA Overview

What is the HIPAA Privacy Rule

What is the HIPAA Security Rule

HIPAA Regulations for Business Associates

The Hitech Act and The HIPAA Omnibus Final Rule 2013

HIPAA Office for Civil Rights Audits and Enforcements

HIPAA Penalties and Data Breaches

course overview cont d
Course Overview (cont’d)

HIPAA Training, Policies and Procedures, and Awareness

Compliance with other Laws and Regulations

Technology Topics

Email Encryption

Windows XP End of Life

Offsite Backup

File sharing solutions i.e. DropBox

Miscellaneous topics

End of Course Summary

hipaa overview
HIPAA Overview

HIPAA a.k.a. Health Insurance Portability and Accountability Act

Passed by Congress in 1996

HIPAA required insurance companies to accept most new customers with pre-existing conditions—creating “portability” of health insurance.

Three Major goals of HIPAA are:

Lowering healthcare administration costs

Providing individuals with some control over their health information

Set standards for providers sharing health information

hipaa overview cont d
HIPAA Overview (cont’d)

HIPAA is supposed to be written so that it covers the single provider practice all the way through billion dollar corporations

It is fairly specific on requirements, but vague on implementation of technologies due to constant changes in technology

The U.S. Department of Health and Human Services (HHS) administers HIPAA.

The Office for Civil Rights (OCR), an agency of HHS is responsible for enforcement, policy development, and technical assistance.

hipaa overview cont d1
HIPAA Overview (cont’d)

From the Office for Civil Rights web site, part of their mission statement reads:

“Annually resolving more than 10,000 citizen complaints

alleging discrimination or a violation of HIPAA”

hipaa overview cont d2
HIPAA Overview (cont’d)

Covered Entities include

Health Plans

Health care Clearinghouses

Health care Providers

Business Associates are businesses that provide services to a Covered Entity that may encountered PHI.

hipaa overview cont d3
HIPAA Overview (cont’d)

Protected Health Information (PHI)

All "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)."12

Privacy Rule

Governs the use and disclosure of PHI

Information should be shared on a “minimum necessary” basis

hipaa overview cont d4
HIPAA Overview (cont’d)

Security rule

Governs the Confidentiality, Integrity, and Availability of electronic health information

Requirements covered include:

Administrative

Technical

Physical

HITECH Act

Included significant changes to HIPAA in 2009

Increased civil penalties

Provided funding for incentives for the adoption of Electronic Health Record systems for doctors

hipaa overview cont d5
HIPAA Overview (cont’d)

Enforcement of HIPAA and Penalties

The loss of PHI or improper release of PHI by Business Associates and Covered Entities needs to be reported by law

Civil penalties of up to $1.5 million

Failure to cooperate with the investigation can result in additional fines

Criminal penalties include fines and imprisonment up to 10 years

The intentional use of health information for commercial gain or personal gain, or to cause harm is a cause for criminal penalty

what is the hipaa privacy rule
What is the HIPAA Privacy Rule

Protects health information in all forms:

Electronic

Verbal

Written

Applies to all Covered Entities and Business Associates

Information Disclosure:

PHI may be shared between providers without requiring a patient’s written authorization

Information is being used as part of healthcare operations, payment, or treatment of that patient

what is the hipaa privacy rule1
What is the HIPAA Privacy Rule

Information shared on a “Minimum Necessary” basis:

This is the Baseline and Guideline for the sharing of all PHI

Policies and Procedures can vary greatly based on the size of the organization:

In a small office, the front desk person may need access to everything because they wear many hats and have responsibility for most activities

In a large office, you may limit the access of the front desk person based on their responsibilities

Notice of Privacy Practices

Covered Entities are required to provide patients with a Notice of Privacy Practices (NPP)

The NPP describes the use of patients records in the practice.

Describes the responsibility to protect the information, including confientiality

Continued-

what is the hipaa privacy rule2
What is the HIPAA Privacy Rule

Notice of Privacy Practices (cont’d)

The patient’s rights to withhold or release information

Disclose who is the HIPAA Security officer for the practice

How to file a complaint

The deadline for revisions to NPP’s was September 23, 2013 and was enacted as part of the HIPAA Omnibus Final Rule

what is the hipaa privacy rule3
What is the HIPAA Privacy Rule

Information shared on a “Minimum Necessary” basis

“Minimum Necessary” examples:

HHS compliance or enforcement due to audit or investigation

Patient explicitly authorizes the disclosure

Giving the information directly to the patient

Access by a healthcare provider for treatment

Release required by legal means, including disclosure to law enforcement

what is the hipaa security rule
What is the HIPAA Security Rule

From the HHS web site:

“The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.”

what is the hipaa security rule1
What is the HIPAA Security Rule

Three Safeguards of the Security Rule:

Administrative

Physical

Technical

Under the safeguards, there are specifications that are Required and ones that are Addressable

what is the hipaa security rule2
What is the HIPAA Security Rule

From the HHS Publication “HIPAA Administrative Simplification”

Administrative Safeguards:

Security Management Process

Implement policies and procedures to prevent, detect, contain, and correct security violations

Assigned Security Responsibility

Identify the security official who is responsible for the development and implementation of the policies and procedures ….

Workforce Security

Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information …..

Information Access Management

Implement policies and procedures for authorizing access to electronic protected health information … Continued 

what is the hipaa security rule3
What is the HIPAA Security Rule

Administrative Safeguards: (cont’d)

Security Awareness and Training

Implement a security awareness and training program for all members of its workforce

Security Incident Procedures

Implement policies and procedures to address security incidents.

Contingency Plan

Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.

Evaluation

Perform a periodic technical and nontechnical evaluation….. that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of this subpart.

what is the hipaa security rule4
What is the HIPAA Security Rule

Physical Safeguards:

Facility Access Controls

Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.

Workstation Use

Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.

Continued 

what is the hipaa security rule5
What is the HIPAA Security Rule

Physical Safeguards: (cont’d)

Workstation Security

Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.

Device and Media Controls

Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.

Includes policies for disposal of media, media re-use, and data backup

what is the hipaa security rule6
What is the HIPAA Security Rule

Technical Safeguards:

Access Control

Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in (your Administrative Safeguards)

Audit Controls

Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

Integrity

Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.

what is the hipaa security rule7
What is the HIPAA Security Rule

Technical Safeguards:

Person or Entity authentication

Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.

Transmission Security

Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.

Also includes:

Encryption:

Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.

hipaa regulations for business associates
HIPAA Regulations for Business Associates

What is a Business Associate?

A person or business that performs a function or activity on behalf of, or provides services to, a Covered Entity that involves Individually Identifiable Health Information

–Is not a workforce member

–Covered Entity can be a Business Associate

hipaa regulations for business associates1
HIPAA Regulations for Business Associates

Examples of Business Associates:

A third party administrator that assists a health plan with claims processing.

A CPA firm whose accounting services to a health care provider involve access to protected health information.

An attorney whose legal services to a health plan involve access to protected health information.

A consultant that performs utilization reviews for a hospital.

A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer.

An independent medical transcriptionist that provides transcription services to a physician.

A pharmacy benefits manager that manages a health plan’s pharmacist network.

hipaa regulations for business associates2
HIPAA Regulations for Business Associates

Business Associate Contracts:

A covered entity’s contract or other written arrangement with its business associate must contain the elements specified at (the HIPAA standard for contracts on the HHS web site).

For example, the contract must:

Describe the permitted and required uses of protected health information by the business associate

Provide that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law

Require the business associate to use appropriate safeguards to prevent a use or disclosure of the protected health information other than as provided for by the contract.

Where a covered entity knows of a material breach or violation by the business associate of the contract or agreement, the covered entity is required to take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, to terminate the contract or arrangement.

the hitech act the hipaa omnibus final rule of 2013
The Hitech Act & The HIPAA Omnibus Final Rule of 2013

The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 was part of the American Recovery and Reinvestment Act, also known as the “Stimulus Package”.

Changes it made to HIPAA include:

• Increased civil penalties – from $100 per violation to $25,000 per violation

• Strengthened breach notification requirements

• Exempted breach notifications for encrypted data

• Required Business Associates to comply with HIPAA to the same extent as Covered Entities, giving the federal government direct authority over Business Associates

• Extended civil enforcement to include the Attorney General of each state

the hitech act the hipaa omnibus final rule of 20131
The Hitech Act & The HIPAA Omnibus Final Rule of 2013

What is a Breach?

A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;

The unauthorized person who used the protected health information or to whom the disclosure was made;

Whether the protected health information was actually acquired or viewed;

The extent to which the risk to the protected health information has been mitigated.

the hitech act the hipaa omnibus final rule of 20132
The Hitech Act & The HIPAA Omnibus Final Rule of 2013

Exceptions to definition of a “breach”:

The first exception applies to the unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority.

The second exception applies to the inadvertent disclosure of protected health information by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, or organized health care arrangement in which the covered entity participates. In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule.

The final exception applies if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.

the hitech act the hipaa omnibus final rule of 20133
The Hitech Act & The HIPAA Omnibus Final Rule of 2013

Is Encrypted Data excluded from the “breach” regulations:

Electronic PHI has been encrypted as specified in the HIPAA Security Rule by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” (45 CFR 164.304 definition of encryption) and such confidential process or key that might enable decryption has not been breached.

Encrypted data is excluded from the breach regulations.

the hitech act the hipaa omnibus final rule of 20134
The Hitech Act & The HIPAA Omnibus Final Rule of 2013

The HITECH Act extended civil enforcement to the state Attorneys General. As a result, HIPAA violations may be subject to both federal and state penalties.

hipaa office for civil rights audits and enforcements
HIPAA Office for Civil Rights Audits and Enforcements

The HITECH Act of 2009 included funding for audits and enforcement, and it also extended authority to enforce civil violations to the state attorneys general. As a result, the regulatory environment for healthcare providers has changed significantly with regard to HIPAA compliance.

The federal government classifies health information privacy as a fundamental civil Right, akin to other rights protected by the Constitution. The HHS Office for Civil Rights (OCR), with an annual budget of approximately $39 million, is the primary enforcer of HIPAA compliance.

hipaa office for civil rights audits and enforcements1
HIPAA Office for Civil Rights Audits and Enforcements

Increased enforcement partially due to the requirement that all breaches of more than 500 patient records be reported to the Office for Civil Rights within 60 days

The HITECH requires periodic audits take place. A pilot program run from November 2010 through December 2012 performed 115 audits.

Reports of HIPAA violations typically come from breach reports, patient complaints, and whistleblower complaints.

hipaa training policies and procedures and awareness
HIPAA Training, Policies and Procedures, and Awareness

Policies are rules.

Procedures are steps needed to implement the rules.

The policies should be general so that changes in products or technologies does not require a change in policy.

The procedures should be specific and detail how the policy will be met or enforced.

Example: The policy is that all email with PHI will be encrypted. The procedure details the solution used to encrypt the emails and steps necessary to encrypt the email.

hipaa training policies and procedures and awareness1
HIPAA Training, Policies and Procedures, and Awareness

HIPAA does not state how to write the policies.

Procedures should be detailed and reference the HIPAA requirement. They can include specific steps to complete a task or written details on the configuration of item, such as a firewall, antivirus software, etc.

Implement an Awareness program to remind your staff of HIPAA rules and regulations and your office policies and procedures.

All current staff and new hires in the future should be properly trained on HIPAA. An annual training session is a good policy.

compliance with other laws and regulations
Compliance with other Laws and Regulations

Massachuestts Privacy Law 201 CMR 17.00: STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH

Went into effect March 1, 2010

Was specific as to protecting personal information

Included email encryption, encrypting laptops, and requiring firewalls

email encryption
Email Encryption

Required under HIPAA

Not just about protecting the information during sending but ensuring it reaches the correct recipient.

Multi-step process to access attachments in the encrypted email by the recipient

email encryption example
Email Encryption - Example

Create a new email, in the Subject line include the word “Securemail”, attach the file, and send the email.

The recipient will receive this email:

email encryption1
Email Encryption

Ways to Encrypt an email (your mileage may vary)

Use a keyword or phrase in the subject line

Using a lexicon or preselect policy i.e. contains Social Security number or other key types of information

Mark the message “Confidential” in Outlook

Button on Outlook toolbar that is clicked to encrypt the email

email encryption2
Email Encryption

Recipient clicks on the link to “Open Message” which opens web page:

email encryption3
Email Encryption

Recipient logs in and gets list of encrypted emails in their account. Double click on email to open:

email encryption4
Email Encryption

Recipient can download the attachment or forward the email, which will be in encrypted in this case, but depends on the solution you use.

email encryption headaches
Email Encryption Headaches

Patients not being able to access the email, time wasted trying to walk patient through the process

Patient gets frustrated and says they want you to “just send it unencrypted”

Given the number of options and programs that offices can use for encryption, offices will have multiple accounts to use, one for each service

Major headache for specialist offices

Multi-step process to access attachments in the encrypted email by the recipient

windows xp
Windows XP

Support ends April 8, 2014 for Windows XP and Office 2003

No more security updates and patches

Computer will still function, but will be out of HIPAA compliance

No direct upgrade path to Windows 7 or Windows 8

online backup questions
Online Backup Questions

Is the solution HIPAA compliant?

If there is a local copy, is that encrypted?

At any point is the backup not encrypted?

Where are physical locations of servers that store the data?

Can there employees access the data files?

data sharing solutions questions
Data Sharing Solutions Questions

Same questions as Online Backup:

Is the solution HIPAA compliant?

If there is a local copy, is that encrypted?

At any point is the file not encrypted?

Where are physical locations of servers that store the data?

Can there employees access the data files?

miscellaneous topics
Miscellaneous Topics

Should I blank my computer screen after a few minutes of inactivity?

Should I lock my computer when I leave the room?

What security is available with my Practice Management software?

Can I print out a schedule that shows patient names and treatments and leave it on my counter?

Windows user accounts and passwords

Practice Management Software user accounts & passwords

miscellaneous topics1
Miscellaneous Topics

PITA Patients

PITA staff member

Hard Drive Disposal

Laptop locks

Other topics

end of course summary
End of Course Summary

Dennis M. Walsh, President

Patriot Networks, Inc.

dwalsh@patriotnetworks.com

www.patriotnetworks.com/hipaa

Eat, drink, and be merry for tomorrow we comply!

Sources: 4MedApproved web site

HHS.gov web site