1 / 19

HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT

HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT. Maria R. Granaudo Gesty, Esq. What is “HIPAA?”. The H ealth I nsurance P ortability and A ccountability A ct HIPAA is the federal law, enacted in 1996 Privacy Rule – right of the individual

ronaldskinner
Download Presentation

HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT Maria R. Granaudo Gesty, Esq.

  2. What is “HIPAA?” • The Health Insurance Portability and Accountability Act • HIPAA is the federal law, enacted in 1996 • Privacy Rule – right of the individual • Security Rule – confidentiality is an obligation • Electronic Data Exchange • Standardized Rules • Penalties

  3. HIPAA Basics • Important Terminology and Definitions • Covered Entity (CE): • health plans, • healthcare clearinghouses, and • healthcare providers (hospitals, doctors, clinics) that conduct certain transactions (e.g. billing) in an electric form

  4. HIPAA Basics • Important Terminology and Definitions • Business Associate (BA): • Not a member of a Covered Entity’s workforce • Perform Services for Covered Entity • Creates, maintains or transmits Protected Health Information (PHI)

  5. HIPAA Basics • Non-HIPAA Covered Entities: • Schools • Employer that requests information for sick leave • Health clubs/gyms

  6. HIPAA Basics • Important Terminology and Definitions • Protected Health Information (PHI): • Information on health, payment for care • Covers more than just medical information such as full face photo, date of birth, fingerprint and voiceprint • Transmissions in any form

  7. Effective HIPAA Privacy Rule Compliance Plan • “I know better not to reveal any private or confidential information. Discretion is my ‘middle name.’ Why do I need training?” • Designate a Privacy Official • HIPAA Compliance Policies and Procedures • Identify Privacy Rule Safeguards: Administrative, Physical and Technical Safeguards, what can be reasonably anticipated for your entity.

  8. Specific Questions Impacting Workforce • Where do your store PHI? Who has access to PHI? • Do you lock your office doors? Leave PHI on your desk? • What security do you have at workstations? Do you share passwords?

  9. Specific Questions Impacting Workforce • Do you transmit PHI electronically? Is it encrypted? • Are computers timed to shut off when not in use for specific time? • Do employees work off site? If so, how is PHI handled? • Are there safeguards on all portable devices including mobile phones, tablets and laptops?

  10. PHI Safeguards • Follow Company policies for safe practices for your computer system • ID and Passwords • Select strong passwords • Keep confidential and secure • Do not share or allow anyone else access to the system under your ID

  11. PHI Safeguards • Be mindful of monitor placement and public access to printers in unsecured areas • Do not engage in activities that violate Company’s policy that are designed to protect PHI (e.g., unauthorized surfing of the Internet, opening unknown email attachments, installing applications not company approved) • Know all guidelines for transmittals via fax, email, and mobile devices

  12. Effective HIPAA Privacy Rule Compliance Plan • Develop a Process for Filing Complaints • Comprehensive Training Program • Establish Sanctions for Privacy Violations – time is of the essence • Make a Mitigation Plan – Eliminate the fear factor • Publish a Non-Retaliation Statement • Publish a Non-Waiver of Rights Statement • Develop a Document Management Strategy

  13. Permitted Use and Disclosure of PHI • General Rule: Workforce members may use or disclose PHI ONLY for permitted purposes – otherwise you must obtain an individual’s specific written authorization • Use vs. Disclosure of Information • Permitted purposes include: “Treatment,” “Payment,” and “Healthcare Operations” or “TPO” • Specific public policy exceptions (public health, law enforcement, health oversight activities)

  14. Permissible Disclosure of Information • De-Identified Health Care Information – when there is nothing left to protect • Removal of all identifying information includes more than just names and addresses • Policy that sets requirements • Authorizing PHI Release – permission is granted • Good Authorization vs. Bad Authorization

  15. Who Enforces HIPAA and How? • Company – Disciplinary action up to and including termination of employment • Federal Government – Dept. of Health & Human Services/Office for Civil Rights (“OCR”) – imposes penalties, both civil and criminal • Civil Penalties are steep! (Feb. 1, 2018: Fresenius Medical Care North America paying $3.5 million in settlement costs) • Criminal penalties have sentencing guidelines up to 10 years • HITECH also created new methods for enforcement (e.g. allows state attorney generals to enforce HIPAA regulations)

  16. HIPAA Enforcement • Department of Health & Human Services Stats

  17. A Cautionary Tale… • $2.5 million settlement shows that not understanding HIPAA requirements creates risk • April 24, 2017 – HHS/OCR announced a HIPAA settlement based on the impermissible disclosure of unsecured (ePHI). CardioNet has agreed to settle potential noncompliance with the HIPAA Privacy and Security Rules by paying $2.5 million and implementing a corrective action plan. This settlement is the first involving a wireless health services provider, as CardioNet provides remote mobile monitoring of, and rapid response to, patients at risk for cardiac arrhythmias.

  18. Questions?

  19. burnswhite.com

More Related