RIGHT TO ACCESS AND SECURITY RISK ANALYSIS. K a t h r y n A y e r s W i c k e n h a u s e r, M B A, C H P C, C H T S

Similar documents
The Audits are coming!

RISK ANALYSIS VERSUS RISK ASSESSMENT:

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

6/7/2018. HIPAA Compliance Simplified. HHS Wall of Shame. Marc Haskelson, President Compliancy Group

HIPAA Omnibus Rule Compliance

Individual and Third-Party Access to Medical Records

Patient Right of Access/ Compliant and Patient-Centered ROI

LEGAL ISSUES IN HEALTH IT SECURITY

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

Determining Whether You Are a Business Associate

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

Individuals Right under HIPAA to Access their Health Information 45 CFR

AFTER THE OMNIBUS RULE

Individuals Right under HIPAA to Access their Health Information 45 CFR

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

Meaningful Use Requirement for HIPAA Security Risk Assessment

Charging Patients for Copies of Their Records: OCR Guidance

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

HIPAA AND ONLINE BACKUP WHAT YOU NEED TO KNOW ABOUT

HIPAA and Lawyers: Your stakes have just been raised

PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS

HIPAA Background and History

AMA Practice Management Center, What you need to know about the new health privacy and security requirements

Fifth National HIPAA Summit West

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

HIPAA Security How secure and compliant are you from this 5 letter word?

503 SURVIVING A HIPAA BREACH INVESTIGATION

The Revolution Will Be Worn on Your Wrist (Part 2) Deven McGraw Deputy Director, Health Information Privacy HHS Office for Civil Rights

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

[Name of Organization] HIPAA Incident/Breach Investigation Procedure 4

How to mitigate risks, liabilities and costs of data breach of health information by third parties

Effective Date: 4/3/17

Business Associate Agreement For Protected Healthcare Information

HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014.

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

ARE YOU HIP WITH HIPAA?

1 Security 101 for Covered Entities

To: Our Clients and Friends January 25, 2013

Getting a Grip on HIPAA

Texas Health and Safety Code, Chapter 181 Medical Records Privacy Law, HB 300

HEALTHCARE BREACH TRIAGE

It s as AWESOME as You Think It Is!

The Privacy Rule. Health insurance Portability & Accountability Act

HIPAA Overview Health Insurance Portability and Accountability Act. Premier Senior Marketing, Inc

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

Industry leading Education. Certified Partner Program. Please ask questions Todays slides are available group.

HIPAA & The Medical Practice

BUSINESS ASSOCIATE AGREEMENT

SATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE

HIPAA Compliance Guide

2. HIPAA was introduced in There are many facets to the law. Which includes the facets of HIPAA that have been implemented?

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

HEALTH & HUMAN SERVICES OFFICE FOR CIVIL RIGHTS HIPAA COMPLIANCE AUDITS. What do I need to know?

HIPAA in the Digital Age. Anisa Kelley and Rachel Procopio Maryan Rawls Law Group Fairfax, Virginia

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

Business Associate Risk

ACCESS TO ELECTRONIC HEALTH RECORDS AGREEMENT WITH THE DOCTORS CLINIC, PART OF FRANCISCAN MEDICAL GROUP

Health Law Diagnosis

HIPAA Privacy and Security Breaches 10 Things To Know

HIPAA. What s New & What Do I Have To Do? Presented by Leslie Canham, CDA, RDA, CSP (Certified Speaking Professional)

HHS, Office for Civil Rights. IAPP October 11, 2012

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Constangy, Brooks & Smith, LLP (205)

ICAHN Presentation. Final Omnibus Rule and Security Risk Analysis. July 26, David Ginsberg

HIPAA: Impact on Corporate Compliance

HIPAA Business Associate Agreement

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

HIPAA AND YOU 2017 G E R A L D E MELTZER, MD MSHA

HIPAA 102a. Presented by Jack Kolk President ACR 2 Solutions, Inc.

HIPAA Compliance Under the Magnifying Glass

HIPAA FUNDAMENTALS For Substance abuse Treatment Industry

Privacy & Security in 2011

NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

OMNIBUS RULE ARRIVES

The Security Risk Analysis Requirement for MIPS. August 8, 2017, 2:00 p.m. to 3:00 p.m. ET Peter Mercuri, Practice Transformation Specialist

Business Associate Agreement

HIPAA Data Breach ITPC

ARRA s Amendments to HIPAA Privacy & Security Rules

HIPAA Basics: IMPORTANT HIPAA CONCEPTS. What We re going to Cover. Training for Employee Benefits Staff

Ensuring HIPAA Compliance When Transmitting PHI Via Patient Portals, and Texting

HIPAA PRIVACY AND SECURITY AWARENESS

2016 Business Associate Workforce Member HIPAA Training Handbook

H E A L T H C A R E L A W U P D A T E

Business Associate Agreement Health Insurance Portability and Accountability Act (HIPAA)

Privacy Rule Primer. 45 CFR Part 160 and Subparts A and E of Part CFR , 45 CFR CFR

ARRA 2009: Privacy and Security Provisions. Deven McGraw

HEALTH INFORMATION PRIVACY POLICIES & PROCEDURES

March 1. HIPAA Privacy Policy. This document includes: HIPAA Privacy Policy Statement, HIPAA Manual and HIPAA Forms

Auditing for HIPAA Compliance: Evaluating security and privacy compliance in an organization that provides health insurance benefits to employees

Business Associate Agreement

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

HIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES: A COMPLIANCE SOLUTION FOR THE TICKING CLOCK AND THE DRACONIAN CIVIL AND CRIMINAL PENALTIES

MEMORANDUM. Kirk J. Nahra, or

HIPAA COMPLIANCE. for Small & Mid-Size Practices

HIPAA Privacy: PHI Disclosure Accounting (Changes) and Access Report (New)

HIPAA PRIVACY MONITORING REQUIREMENTS

HIPAA & HITECH Privacy & Security. Volunteer Annual Review 2017

Transcription:

RIGHT TO ACCESS AND K a t h r y n A y e r s W i c k e n h a u s e r, M B A, C H P C, C H T S

RIGHT TO ACCESS WHAT WE LL COVER HHS FAQ Overview Authorization vs Right to Access Record Formats & Delivery Methods Reasonable, cost-based fee* Third-Party Direction Examples

EXAMPLES

EXAMPLES

EXAMPLES

RIGHT TO ACCESS DATAFILETECHNOLOGIES.COM 816.437.9134 FEBRUARY 25, 2016 Emphasizes a patient s right to receive a copy of their medical information CULTIVATING & CONNECTING HEALTHCARE EXPERTS

RIGHT TO ACCESS DATAFILETECHNOLOGIES.COM 816.437.9134 RELEASED HHS FAQ Delivery formats of PHI Reasonable, cost-based fee for information Right to transmit information to a third party CULTIVATING & CONNECTING HEALTHCARE EXPERTS

WHAT S THE DIFFERENCE? AUTHORIZATION vs RIGHT TO ACCESS 45 CFR 164.508 Disclosure of PHI outside of T/P/O and the Privacy Rule Permits disclosure Required Elements: Description of PHI Entity authorized to release Entity authorized to receive Description of purpose of disclosure Expiration date Signature and date Statements, like Right to Revoke 45 CFR 164.524 The right of an individual or personal representative to obtain records Requires disclosure, except with exception Designated Record Set Is not always required to be in writing Notice of Privacy Practices Without unreasonable delay

EXAMPLES

RIGHT TO ACCESS RECORD PRODUCTION Paper If maintained electronically, CE expected to deliver requested information on paper Electronic If maintained electronically, CE expected to deliver if readily producible If requested format not available, access should be provided and agreed upon to another format

RIGHT TO ACCESS RECORD PRODUCTION Electronic Email is okay Secure Unsecure: Patient must acknowledge and sign off on the risks and procedure should be addressed in your Security Risk Analysis Assumed all CEs can produce PHI this way Exception: file size too large

EXAMPLES

DATAFILETECHNOLOGIES.COM 816.437.9134 HHS / OCR believes this is the fast and cheap way CULTIVATING & CONNECTING HEALTHCARE EXPERTS

WHY AN ELECTRONIC EMPHASIS? Prevalence of EHR systems Patient Portal Access Another means to foster communication between providers DIRECT HIEs HISPs Structured Data

RIGHT TO ACCESS REASONABLE, COST-BASED FEE* Labor for copying the PHI Supplies for creating the copy or electronic media Postage where applicable Preparation of a Summary of the PHI where applicable *Anyone else think a few costs are missing?

RIGHT TO ACCESS REASONABLE, COST-BASED FEE* This is after the PHI relevant to the request has been Identified Retrieved or collected Ready to be copied Specifically does not include Reviewing the request for Access Searching for, locating, reviewing the PHI Segregating PHI Can only charge for copying

RIGHT TO ACCESS REASONABLE, COST-BASED FEE* Three methods allowed to determine cost Average Cost Fee schedule Actual Cost Determine cost each and every time? Flat Fee Electronic cost suggested fee May 2016 clarification

WHY DATAFILE? *Electronic copies do not allow for per page fees DATAFILETECHNOLOGIES.COM 816.437.9134 CULTIVATING & CONNECTING HEALTHCARE EXPERTS

RIGHT TO ACCESS THIRD PARTY DIRECTION Right to Access allows patients to direct that their PHI be sent to a third party Examples given in the guidance Another Provider Researcher Consumer Tool Requests may look similar to Authorizations Do they have a patient directive? Yes likely a Right to Access request No likely an Authorization

MUDDIED WATERS The recent guidance has created confusion. Limitations on where and to whom these records can go are not established.

RIGHT TO ACCESS THIRD PARTY DIRECTION Increased prevalence of attorneys utilizing Right to Access Requests Patient letter I authorize The Kitchen Sink approach Cite HITECH Direct the format outside of the patient letter Why the increase?

EXAMPLES AUTHORIZATION RIGHT TO ACCESS

EXAMPLES AUTHORIZATION RIGHT TO ACCESS

EXAMPLES IS THIS SUFFICIENT FOR RIGHT TO ACCESS?

WHAT:S NEXT?

WHAT:S NEXT? JUST BECAUSE YOU CAN DOESN T MEAN YOU SHOULD

WHAT WE LL COVER What is a Security Risk Analysis (SRA)? Who needs a SRA? Why is a SRA important for my practice? Which items need to be documented? Where do I go from here?

BUT FIRST

ASSESSMENT VERSUS ANALYIS Risk Assessment Privacy Rule, Breach Notification Rule Often used interchangeably with Security Risk Analysis Risk Analysis Security Rule Security Risk Analysis is the preferred terminology when discussing SRA

HEALTHCARE S VERSION OF TAXES

THINK ABOUT TAX SEASON

WHO DO YOU TRUST? Security Risk Analysis required by HIPAA, Meaningful Use, and now MIPS THREAT RISK Like taxes, do you do your SRA in house, or trust a professional? VULNERABILITY ASSET

WHAT IS A? (Besides another item on your to do list annually)

WHAT IS A? An analysis of HIPAA in your practice Comprehensive assessment to document / work towards HIPAA compliance Should be done on an annual basis Must have an associated Work Plan to remediate any deficiencies that are found Hardest part of Risk Analysis is to review IT infrastructure to determine where PHI could be at risk

WHO NEEDS A? COVERED ENTITY BUSINESS ASSOCIATE PROVIDER PAYMENT PLAN / PAYER WHO ACCESSES PHI? RELEASE OF INFORMATION ATTORNEY OTHERS

DEFINITION The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities conduct a risk analysis of their healthcare organization. A risk analysis helps your organization ensure it is compliant with HIPAA s administrative, physical, and technical safeguards.

MEANINGFUL USE Meaningful Use requires a SRA Stage 1 Core 15 / Core 13 Protect health information MU Stage 2 Core 9 Protect health information Stage 3 Measure 1 Protect electronic patient health information

MACRA & MIPS MIPS requires a SRA Advancing Care Information Receive 0 points for the category if no SRA Loss of 25% of your overall score!

WHY IS A SRA IMPORTANT FOR ME? (Do you like paying government fines?)

MEANINGFUL USE AUDITS Audits targeted at up to 20% (1 in 5) of eligible providers Either Pre or Post payment of incentive funds Failed audits trigger additional audits for other years and providers Most failed measure: SRA Consider a Mock Audit as a health check Still happening even though Medicare program is over! Expect we will see similar audits under MIPS

HIPAA ENFORCEMENT HIPAA Regulations are enforced by HHS-OCR Enforcement Activities 2015 Random Audit Program Breach Investigations Covered entities Business Associates Complaint Investigations Dissatisfied patients Disgruntled employees

HIPAA AUDITS The audits are coming, the audits are coming! No longer delayed, audits are here! Compliance email heard around the world 200 Desk Audits & 24 Comprehensive (Onsite) Audits Business Associates Phase 2 Utilize HHS / OCR Portal to Upload Information 10 days to respond / upload information Size, Location, Services, Other Information, BA

HIPAA AUDITS Covered Entity Audits 166 total 103 Privacy and Breach Rules 63 Security Rule 90% Provider Business Associates 41 total Breach and Security Rules

HIPAA AUDITS Security Rule Audit Risk Analysis Risk Management Of the 63 Covered Entities audited, one received a in compliance score 30 failed 52 negligible effort essentially a fail The OCR is placing emphasis on the Security Rule

HOW DO BREACHES OCCUR? Breaches can occur when Protected Health Information is: Lost Stolen Accessed in an unauthorized fashion Transmitted in an insecure manner

2017 BREACHES 345 incidents impacting 500+ patients (327 in 2016) 4,721,844 patients impacted 41% - 142 hacking incidents (25% increase from 2016) 10% of incidents in 2012 25% - 85 email breaches (60% increase from 2016) 10% in 2012 29% - 55 breaches from lost or stolen devices (78 in 2016) 40% in 2012

HIPAA HISTORY In the past small entities have mostly ignored HIPAA Didn t understand HIPAA Cost too much for a consultant Took too much time Not much electronic data Not much hacking Not so many breaches Not so many audits Not so many fines HIPAA can no longer be ignored!

WHAT CMS SAYS ABOUT HIPAA The Security Risk Analysis is NOT optional for small providers Simply installing a certified EHR DOES NOT fulfill the security risk analysis MU requirement Your EHR vendor DOES NOT take care of everything needed to do about privacy and security A checklist DOES NOT suffice for the risk analysis requirement The risk analysis needs to be performed annually The security risk analysis needs to look at not just the EHR, but your whole IT infrastructure It is possible for small practices to do risk analysis themselves using self-help tools. However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional

WHICH ITEMS NEED TO BE DOCUMENTED? (Or it didn t happen!) Security Risk Analysis (and associated Work Plan or Gap Analysis) Policies and Procedures Employee Training Documentation

POLICIES & PROCEDURES DOCUMENTATION Every practice needs policies and procedures for both HIPAA Privacy and Security Rules These can be obtained from a variety of sources, and should be inexpensive Someone at your practice needs to be responsible for enforcing these Policies & Procedures (Compliance / Security / Privacy Officer)

DOCUMENT, DOCUMENT, DOCUMENT! Understand that you are not HIPAA compliant if you have not documented it You can only withstand an audit through proper documentation This includes a strong Security Risk Analysis Practices have received large fines for lack of documentation What should be documented: Security Risk Analysis Gap Analysis Policies / Procedures Training Media Disposal Security Incidents Computer Log Reviews

ELEMENTS Threat Vulnerability Statement Existing Controls Risk (color code) Control Effectiveness Likelihood Impact Overall Risk Rating Additional Considerations Work Plan Updates Due Date Responsibility

DOCUMENT

DOCUMENT

DOCUMENT

ANNUAL TRAINING Employees must be trained on HIPAA before they start work in your practice All other employees must be trained annually Third parties can provide HIPAA Educational services Keep records of training!

WHERE DO I GO FROM HERE? You have to start somewhere! Ensure you have a Privacy / Security Officer! In-House HHS (Health and Human Services) / OCR (Office of Civil Rights) Tool EHR Vendor may offer service for a fee Healthcare Attorney May also utilize Healthcare IT group Experienced Third Party

IN SUMMARY Security Risk Analysis Audits are no longer limited to MU Protect your practice and your investment utilize professional service tools for your SRA. Sleep soundly at night!

Thank You Kathryn Ayers Wickenhauser, MBA, CHPC, CHTS Kathryn.Wickenhauser@DataFileTechnologies.com Twitter: @KAWickenhauser bit.ly/kawresource

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback