HIPAA Security How secure and compliant are you from this 5 letter word?

Similar documents
HIPAA Compliance Guide

1 Security 101 for Covered Entities

LEGAL ISSUES IN HEALTH IT SECURITY

ARE YOU HIP WITH HIPAA?

HIPAA PRIVACY AND SECURITY AWARENESS

HIPAA Privacy & Security. Transportation Providers 2017

HIPAA Redux 2013 Kim Cavitt, AuD Audiology Resources, Inc. Expert e-seminar 4/29/2013. HIPAA Redux Presented by: Kim Cavitt, AuD

Meaningful Use Requirement for HIPAA Security Risk Assessment

Regenstrief Center for Healthcare Engineering HIPAA Compliance Policy

HIPAA 102a. Presented by Jack Kolk President ACR 2 Solutions, Inc.

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

HIPAA Background and History

HIPAA Overview Health Insurance Portability and Accountability Act. Premier Senior Marketing, Inc

Determining Whether You Are a Business Associate

HIPAA & The Medical Practice

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

Auditing for HIPAA Compliance: Evaluating security and privacy compliance in an organization that provides health insurance benefits to employees

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

DELHAIZE AMERICA PHARMACIES AND WELFARE BENEFIT PLAN HIPAA SECURITY POLICY (9/1/2016 VERSION)

AFTER THE OMNIBUS RULE

Effective Date: 4/3/17

ChoiceNet/InterCare Health Plans Getting Your Arms Around HIPAA Compliance

University of California Group Health and Welfare Benefit Plans HIPAA Privacy Rule Policies and Procedures (Interim)

Privacy Policy Training

HIPAA and Lawyers: Your stakes have just been raised

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

Industry leading Education. Certified Partner Program. Please ask questions Todays slides are available group.

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

HIPAA AND YOU 2017 G E R A L D E MELTZER, MD MSHA

What is HIPAA? (1 of 2)

HIPAA COMPLIANCE. for Small & Mid-Size Practices

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

HIPAA AND ONLINE BACKUP WHAT YOU NEED TO KNOW ABOUT

NATIONAL RECOVERY AGENCY COMPLIANCE INFORMATION GRAMM-LEACH-BLILEY SAFEGUARD RULE

Key Legal Issues in EMR, EMR Subsidy and HIPAA and Privacy Click Issues to edit Master title style

Texas Health and Safety Code, Chapter 181 Medical Records Privacy Law, HB 300

AMA Practice Management Center, What you need to know about the new health privacy and security requirements

RIGHT TO ACCESS AND SECURITY RISK ANALYSIS. K a t h r y n A y e r s W i c k e n h a u s e r, M B A, C H P C, C H T S

Colorado All Payer Claims Database Privacy, Security and Data Release Fact Guide

OMNIBUS COMPLIANT BUSINESS ASSOCIATE AGREEMENT RECITALS

HIPAA in the Digital Age. Anisa Kelley and Rachel Procopio Maryan Rawls Law Group Fairfax, Virginia

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)

"HIPAA RULES AND COMPLIANCE"

Healthcare Industry Key Issues kkk

2016 Business Associate Workforce Member HIPAA Training Handbook

HEALTHCARE BREACH TRIAGE

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

HIPAA. What s New & What Do I Have To Do? Presented by Leslie Canham, CDA, RDA, CSP (Certified Speaking Professional)

HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014.

Texas Tech University Health Sciences Center El Paso HIPAA Privacy Policies

HIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES: A COMPLIANCE SOLUTION FOR THE TICKING CLOCK AND THE DRACONIAN CIVIL AND CRIMINAL PENALTIES

6/7/2018. HIPAA Compliance Simplified. HHS Wall of Shame. Marc Haskelson, President Compliancy Group

North Shore LIJ Health System, Inc. Facility Name. CATEGORY: Effective Date: 8/15/13

HIPAA The Health Insurance Portability and Accountability Act of 1996

H E A L T H C A R E L A W U P D A T E

Privacy and Security Standards

1. Does the plan exist for purposes of providing or paying for the cost of medical care?

Texas Tech University Health Sciences Center HIPAA Privacy Policies

HIPAA Privacy and Security Breaches 10 Things To Know

HIPAA Basic Training for Health & Welfare Plan Administrators

The Health Insurance Portability and Accountability Act (HIPAA) A guided tutorial for GVSU employees

LIMITED DATA SET REQUEST AND DATA USE AGREEMENT

THIRD-PARTY MANAGEMENT OF INFORMATION RESOURCES

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

HIPAA Readiness Disclosure Statement

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

Limited Data Set Data Use Agreement For Research

ACCESS TO ELECTRONIC HEALTH RECORDS AGREEMENT WITH THE DOCTORS CLINIC, PART OF FRANCISCAN MEDICAL GROUP

The HIPAA Omnibus Rule and the Enhanced Civil Fine and Criminal Penalty Regime

March 1. HIPAA Privacy Policy

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

University of Mississippi Medical Center Data Use Agreement Protected Health Information

The Privacy Rule. Health insurance Portability & Accountability Act

(a) Is created by or received from a health care provider, health plan, employer, or health care clearinghouse; and

UAMS ADMINISTRATIVE GUIDE NUMBER: 2.1

503 SURVIVING A HIPAA BREACH INVESTIGATION

Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation

HIPAA Administrative Simplification Provisions

HIPAA Privacy Overview

[Name of Organization] HIPAA Incident/Breach Investigation Procedure 4

What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.

How to mitigate risks, liabilities and costs of data breach of health information by third parties

Negotiating Business Associate Agreements

RECITALS. WHEREAS, this Amendment incorporates the various amendments, technical and conforming changes to HIPAA implemented by the Final Rule; and

HIPAA Security. ible. isions. Requirements, and their implementation. reader has

Effective Date: 08/2013

OLD DOMINION UNIVERSITY PCI SECURITY AWARENESS TRAINING OFFICE OF FINANCE

Compliance Fraud, Waste and Abuse HIPAA Privacy and Security

UCLA Health System Data Use Agreement

PLAN SPONSOR CERTIFICATION TO THE GROUP HEALTH PLAN

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

HIPAA Basics: IMPORTANT HIPAA CONCEPTS. What We re going to Cover. Training for Employee Benefits Staff

HIPAA: Impact on Corporate Compliance

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

The Audits are coming!

Standards for Privacy of Individually Identifiable Health Information

Legislative Update HIPAA/HITECH

Transcription:

HIPAA Security How secure and compliant are you from this 5 letter word? January 29, 2014 www.prnadvisors.com 1 1

About me Over 20 Years in IT as hand-on leader Implemented EMR s of all sizes for Hospitals, multi-specialty practices and individual providers HIPAA Security Officer providing right-sized solutions for compliance and HIPAA IT Regulations Assisted in bringing in over $2 Million in Meaningful Use attestation money PMP and Six Sigma Certified for Lean IT implementation Provides Fractional IT services for day to day support or project based IT work around Healthcare (EMR, HIPAA, Networking, Data Analytics, etc.) Please feel free to email me : apatane@prnadvisors.com www.prnadvisors.com 2 2

Latest about HIPAA Security Maximum fines per incident for non-compliance can be up to $1.5 million Medical records are valued at ten times more than credit card data on the black market Threat organizations are targeting all Healthcare facilities, hospitals and insurance companies Cyber threats can not be handled quick enough in which to be proactively handled Stolen records are being to use file claims, be treated as patients, prescriptions and identity theft www.prnadvisors.com 3 3

Agenda What is HIPAA and who oversees this function? HIPAA Security Rule Who must comply with the HIPAA Security Rule What information is Protected General Rules Risk Analysis Administrative Safeguards Physical Safeguards Technical Safeguards What happens if you don t comply Do you have your BAA s in order? Where to begin with being compliant www.prnadvisors.com 4 4

What is HIPAA The HIPAA Act was published and is overseen by the Office of Civil Right (OCR) Health Insurance Portability and Accountability Act of 1996 Accountability Act of 1996 Portability: Guarantees health coverage when employees change jobs employees change jobs Accountability: Establishes National Standards for protecting health data for protecting health data www.prnadvisors.com 5 5

Privacy Rule Applies to paper/oral/electronic records Sets boundaries on the Use and Disclosure of health information health information Gives patients more control over their own health information Establishes safeguards for protecting the privacy of health information Holds providers and payers accountable for violations of privacy requirements www.prnadvisors.com 6 6

Security Rule Applies to electronic records only Privacy Rule addresses security of paper records Requirements for providers and payers to assure that electronic health information pertaining to individuals remains secure Technology-neutral Scalable Addresses administrative, technical and physical safeguards www.prnadvisors.com 7 7

Privacy vs. Security Privacy and Security go hand-in-hand Privacy is the what Patients have the right to have their health information protected from unauthorized disclosures Security is the how Agencies must determine the procedures they will put into place to protect health information www.prnadvisors.com 8 8

Who is Impacted by HIPAA Professionals who provide services or activities through a contractual agreement with a health care provider/plan Individuals/professionals who work directly for a health care provider/plan Patients who seek services from a health care provider or health care plan www.prnadvisors.com 9 9

Data elements considered PHI Name Geographic subdivisions smaller than a state Street Address, City, County, State, Zip Code All elements of dates (except year) related to an individual Telephone/Fax Numbers E-mail Address Social Security Number Medical Record Numbers Health Plan Beneficiary Numbers Account Numbers Certificate/License Numbers Vehicle Identifiers/License Plate Number www.prnadvisors.com 10 10

Administrative Safeguards Security Management Process. A covered entity must identify and analyze potential risks to e-phi, and it must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level. Security Personnel. A covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures. 15 Information Access Management. Consistent with the Privacy Rule standard limiting uses and disclosures of PHI to the "minimum necessary," the Security Rule requires a covered entity to implement policies and procedures for authorizing access to e-phi only when such access is appropriate based on the user or recipient's role (role-based access). 16 Workforce Training and Management. A covered entity must provide for appropriate authorization and supervision of workforce members who work with e-phi. 17 A covered entity must train all workforce members regarding its security policies and procedures, 18 and must have and apply appropriate sanctions against workforce members who violate its policies and procedures. 19 Evaluation. A covered entity must perform a periodic assessment of how well its security policies and procedures meet the requirements of the Security Rule. Examples include: New employee training on HIPAA, Monitoring on EMR for login attempts or failures, Policy for disabling users when terminated or password policy www.prnadvisors.com 11 11

Physical Safeguards Facility Access and Control. A covered entity must limit physical access to its facilities while ensuring that authorized access is allowed. Workstation and Device Security. A covered entity must implement policies and procedures to specify proper use of and access to workstations and electronic media. 22 A covered entity also must have in place policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of electronic protected health information (e- PHI). Examples: Can you get to data if you have an issue with site access? Who has access to the building and computers www.prnadvisors.com 12 12

Technical Safeguards Access Control. A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-phi). Example: Do all users have unique user name Audit Controls. A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-phi. Example: Policy or system that reviews failed attempts at logins Integrity Controls. A covered entity must implement policies and procedures to ensure that e-phi is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-phi has not been improperly altered or destroyed. Example: Identify all users on the system who can delete info and review Transmission Security. A covered entity must implement technical security measures that guard against unauthorized access to e-phi that is being transmitted over an electronic network Example: Do you have a firewall or VPN connected that secures where PHI is saved? www.prnadvisors.com 13 13

Impact of Not Complying Possible litigation Potential withholding of federal Medicaid and Medicare funds Penalties Civil monetary for violations of each standard each standard Wrongful disclosure of health information www.prnadvisors.com 14 14

Business Associate Business Associates Person/agency who performs a function or activity for or on behalf of a covered entity that involves the use of PHI Must enter into a Business Associate Agreement or Memorandum of Understanding with a covered entity DHHS agencies have both Internal (within the DHHS agencies have both Internal (within the www.prnadvisors.com 15 15

Who is a Business Associate Examples: Collection Agency Private Attorney Auditing Firm Record Copying Service Recycling Service Messenger or shipping service www.prnadvisors.com 16 16

HIPAA HIPAA regulations around EMR needs to be considered prior, during and after implementation. The last question during Meaningful Use Attestation asks if a risk analysis has been done on your systems. YOU NEED TO HAVE THIS!! HIPAA IT also applies to your current environment that has access to PHI. Internet, Billing, e- prescribe, etc.. www.prnadvisors.com 17 17

Where do I begin? An initial Risk Analysis should be completed that will review entire systems and process around HIPAA Security. (Including BAA s, and all Safeguards) Implement Corrective Actions based on the output of the Analysis to meet HIPAA Required (vs. Addressable) Requirements At least an annual assessment should be done to ensure compliance is in order and to prevent future issues. This is a mandate if your attesting for Meaningful use money. YOU CAN BE AUDITED. Contact apatane@prnadvisors.com for more detail on how to start www.prnadvisors.com 18 18

Open Agenda Q&A www.prnadvisors.com 19 19

CEU Questions 1. Do Providers have to be HIPAA compliant a) Yes b) No 6. Name one of three safeguards? a) 2. Who oversees HIPAA? a) AMA b) FBI c) Office of Civil Rights 7. What year was the HIPAA rule enacted a) 1953 b) 1996 c) 2014 3. What agreement should be in place with vendors who access PHI a) Non Compete b) NDA c) BAA 8. Ho w often should a risk analysis be completed a) Once b) Yearly c) Every 10 years 4. An example of technical safeguard is? a) Auditing of logins b) Windows 7 c) Safe where disks are locked up 9. Name one element or item that is part of PHI a) 5. Does a practice using an EMR need to be HIPAA Compliant? a) Yes b) No 10 List one example of an Administrative safeguard a) www.prnadvisors.com 20 20

CEU Answers A Administrative, Technical or Physical B A C A A SS#, DOB, NAME, ADDRESS A New employee training on HIPAA, Monitoring on EMR for login attempts or failures, Policy for disabling users when terminated or password policy www.prnadvisors.com 21 21

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback