1 / 45

HIPAA A Refresher Course

lindsey
Download Presentation

HIPAA A Refresher Course

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. 1 HIPAA – A Refresher Course Michael J. Schoppmann, Esq. Kern Augustine Conroy & Schoppmann, P.C.

    2. 2 HIPAA: The Health Insurance Portability and Accountability Act of 1996

    3. 3 HIPAA Risk Management and Prevention

    4. 4 HIPAA - “Administrative Simplification” Privacy Electronic Transactions and Code Sets National Provider Identifier Security

    5. 5 HIPAA Privacy Requires Safeguards in place: Administrative Physical Technical

    6. 6 HIPAA Privacy Should already have in place: Privacy Notice HIPAA compliant authorizations Policy & Procedure Manual Business Associates Contracts

    7. 7 HIPAA Electronic Transactions and Code Sets Rule Deadline was October 23, 2003 YOUR responsibility NOT vendors Move toward electronic billing is economically mandated

    8. 8 HIPAA Electronic Transactions and Code Sets Compliance Checklist Software Vendors Software HIPAA Compliant? Any changes needed (additional fields or removal of fields)? HIPAA Compliance/Certified in writing?

    9. 9 HIPAA Electronic Transactions and Code Sets Compliance Checklist Health Plans and Payors HIPAA Compliant? Instruction Manuals or “Companion Guides” Issued? Trading Partner Agreement issued? HIPAA Compliance/Certified in writing?

    10. 10 HIPAA National Provider Identifier Used to coordinate with billing services, vendors, and clearinghouses, and payers. Must also be shared with other providers, health plans, clearinghouses, and any entity that may need it for billing purposes.  All providers should have already obtained NPI’s pursuant to federal law. CMS has provided guidance on how to keep NPPES passwords and information updated and protected.

    11. 11 HIPAA Security: Cited Purpose To ensure: Confidentiality Integrity, and Availability of PHI

    12. 12 HIPAA Security: Scope All Electronic Protected Health Information (EPHI) versus Privacy which covers paper, oral, AND electronic PHI Data in motion AND at rest – Stored data and transmitted data Protects against reasonably anticipated Threats or Hazards to Security or Integrity of PHI

    13. 13 HIPAA Security: Compliance Checklist Assess current security, risks and gaps Develop an implementation plan Implement solutions Document Solutions Reassess periodically

    14. 14 New HIPAA – The HITECH Act Title XIII of the American Recovery & Reinvestment Act of 2009 (ARRA) Health Information Technology for Economic & Clinical Health Act Enacted Feb. 17, 2009; Majority effective Feb. 17, 2010

    15. 15 New HIPAA – The HITECH Act Promotes EHRs Expands HIPAA privacy & security requirements and protections Increases penalties New Data Breach Notification requirement

    16. New HIPAA - Overview Right to Access PHI Minimum Necessary Requested Restrictions Marketing Disclosures Accounting Sale of PHI Extension to BAs Breaches Penalties 16

    17. 17 New HIPAA - HITECH If CE uses EHR – Patient right to electronic copy of records Right to direct CE to transmit electronic copy to third party Minimum Necessary – preference now for Limited Data Sets; de-identified data Patient can restrict disclosure of PHI to health plans for self-pay services

    18. 18 New HIPAA - HITECH Exceptions to use of PHI for marketing no longer applicable where CE is remunerated (limited exceptions) Patient right to accounting of routine disclosures, including TPO, if CE uses an EHR CE/BA cannot sell PHI without specific patient authorization (limited exceptions)

    19. 19 New HIPAA – HITECH – Business Associates BAs now directly regulated; not just through BA agreements Must comply with Security Rule’s administrative, physical & technical safeguards and documentation requirements Subject to additional privacy & security HITECH provisions applicable to CEs

    20. 20 New HIPAA – HITECH – Business Associates Address new requirements in new BA agreements Wait for guidance before amending existing BA contracts But give BAs notice of new obligations, including data breach notice requirements and timeframes

    21. 21 New HIPAA – HITECH – Data Breach Applies to unsecured PHI Breach notification required of CEs and BAs Effective 9/23/09; enforced 2/2010 Regulations define breach, timeframe for notice, content of notice, mitigation State laws also apply

    22. 22 New HIPAA – HITECH – Penalties Increased penalties for HIPAA violations, immediately effective BAs now also subject to civil and criminal enforcement Tiered penalties based on fault and corrective action $100/violation if “innocent” Up to $50,000/violation if willful neglect and uncorrected

    23. 23 New HIPAA – HITECH – Penalties State AG can bring civil suit under HIPAA CMPs shared with harmed persons Individuals—not just CEs—can be criminally prosecuted HHS must conduct HIPAA compliance audits

    24. 24 HIPAA Snapshot Audit If you answer any of the following statements “False” you may need to change office procedures.

    25. 25 HIPAA Snapshot Audit 1. My office does not use a patient sign in sheet that includes confidential patient information. _____ True _____ False

    26. 26 HIPAA Snapshot Audit 2. My office does not place patient schedules in any places that may be seen by patients or other non-staff individuals. _____ True _____ False

    27. 27 HIPAA Snapshot Audit 3. In my office, all confidential conversations take place to the maximum extent possible in areas that cannot be overheard by other patients or non-staff individuals. _____ True _____ False

    28. 28 HIPAA Snapshot Audit 4. In my office patients and non-staff individuals cannot gain access to our computers or fax machines and cannot view our computer screen ______ True _____ False

    29. 29 HIPAA Snapshot Audit 5. Each computer user in my office has a personal computer password, these passwords change on a regular basis, and passwords of terminated employees get deleted immediately. _____ True _____ False

    30. 30 HIPAA Snapshot Audit 6. In my office patients and other non-staff individuals do not have any opportunity to access patient medical records, laboratory reports, and faxes. _____ True _____ False

    31. 31 HIPAA Snapshot Audit 7. My office has formal documented procedures to ensure patient confidentiality when transferring to other offices paper files, orders, images, and specimens. _____ True _____ False

    32. 32 HIPAA Snapshot Audit 8. My office has formal documented procedures for the acceptance of confidential patient information from outside of our office. _____ True _____ False

    33. 33 HIPAA Snapshot Audit 9. My office has confidentiality statements in place and we make patients aware of our confidentiality policies. _____ True _____ False

    34. 34 HIPAA Snapshot Audit 10. My office has formal privacy and security procedures regarding access to confidential information, access to computer information, and access to areas of the office that may contain confidential information. _____ True _____ False

    35. 35 HIPAA Snapshot Audit 11. My office requires the return of all keys and other items that allow access to the office and to computer files when a person no longer is authorized to access information. _____ True _____ False

    36. 36 HIPAA Snapshot Audit 12. My office has formal privacy and security policies for all office personnel, training for all office personnel, and the training of each individual is documented. _____ True _____ False

    37. 37 HIPAA Snapshot Audit 13. If my office uses laptops or other portable equipment that holds confidential patient information, this equipment is secure and can only be accessed by authorized personnel. _____ True _____ False _____ NA

    38. 38 HIPAA Snapshot Audit 14. My office has policies and procedures in place to ensure patient confidentiality by off-site contractors, such as billing and accounting services. _____ True _____ False

    39. 39 HIPAA Snapshot Audit 15. My office has a comprehensive survey of all of our computer systems, including all software. _____ True _____ False

    40. 40 HIPAA Snapshot Audit 16. My office has a disaster plan to protect patient information, contingency plans in the event of a computer systems failure, perform regular virus checks, and corrects any identified problems. _____ True _____ False

    41. 41 HIPAA Snapshot Audit 17. All confidential information – paper and electronic – is stored with appropriate safeguards. _____ True _____ False

    42. 42 HIPAA Snapshot Audit 18. Internet transmissions, including e-mail, and telephone conversations are secure. _____ True _____ False

    43. 43 HIPAA Snapshot Audit 19. My office has confidentiality statements on all faxes and e-mail sent by the office staff. _____ True _____ False

    44. 44 Conclusions “Compliance” must be new focus Incorporate all new HITECH requirements Be involved Be vigilant Be careful

    45. 45 Questions & Conclusions

More Related