HIPAA Security How secure and compliant are you from this 5 letter word? January 29, 2014 www.prnadvisors.com 1 1
About me Over 20 Years in IT as hand-on leader Implemented EMR s of all sizes for Hospitals, multi-specialty practices and individual providers HIPAA Security Officer providing right-sized solutions for compliance and HIPAA IT Regulations Assisted in bringing in over $2 Million in Meaningful Use attestation money PMP and Six Sigma Certified for Lean IT implementation Provides Fractional IT services for day to day support or project based IT work around Healthcare (EMR, HIPAA, Networking, Data Analytics, etc.) Please feel free to email me : apatane@prnadvisors.com www.prnadvisors.com 2 2
Latest about HIPAA Security Maximum fines per incident for non-compliance can be up to $1.5 million Medical records are valued at ten times more than credit card data on the black market Threat organizations are targeting all Healthcare facilities, hospitals and insurance companies Cyber threats can not be handled quick enough in which to be proactively handled Stolen records are being to use file claims, be treated as patients, prescriptions and identity theft www.prnadvisors.com 3 3
Agenda What is HIPAA and who oversees this function? HIPAA Security Rule Who must comply with the HIPAA Security Rule What information is Protected General Rules Risk Analysis Administrative Safeguards Physical Safeguards Technical Safeguards What happens if you don t comply Do you have your BAA s in order? Where to begin with being compliant www.prnadvisors.com 4 4
What is HIPAA The HIPAA Act was published and is overseen by the Office of Civil Right (OCR) Health Insurance Portability and Accountability Act of 1996 Accountability Act of 1996 Portability: Guarantees health coverage when employees change jobs employees change jobs Accountability: Establishes National Standards for protecting health data for protecting health data www.prnadvisors.com 5 5
Privacy Rule Applies to paper/oral/electronic records Sets boundaries on the Use and Disclosure of health information health information Gives patients more control over their own health information Establishes safeguards for protecting the privacy of health information Holds providers and payers accountable for violations of privacy requirements www.prnadvisors.com 6 6
Security Rule Applies to electronic records only Privacy Rule addresses security of paper records Requirements for providers and payers to assure that electronic health information pertaining to individuals remains secure Technology-neutral Scalable Addresses administrative, technical and physical safeguards www.prnadvisors.com 7 7
Privacy vs. Security Privacy and Security go hand-in-hand Privacy is the what Patients have the right to have their health information protected from unauthorized disclosures Security is the how Agencies must determine the procedures they will put into place to protect health information www.prnadvisors.com 8 8
Who is Impacted by HIPAA Professionals who provide services or activities through a contractual agreement with a health care provider/plan Individuals/professionals who work directly for a health care provider/plan Patients who seek services from a health care provider or health care plan www.prnadvisors.com 9 9
Data elements considered PHI Name Geographic subdivisions smaller than a state Street Address, City, County, State, Zip Code All elements of dates (except year) related to an individual Telephone/Fax Numbers E-mail Address Social Security Number Medical Record Numbers Health Plan Beneficiary Numbers Account Numbers Certificate/License Numbers Vehicle Identifiers/License Plate Number www.prnadvisors.com 10 10
Administrative Safeguards Security Management Process. A covered entity must identify and analyze potential risks to e-phi, and it must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level. Security Personnel. A covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures. 15 Information Access Management. Consistent with the Privacy Rule standard limiting uses and disclosures of PHI to the "minimum necessary," the Security Rule requires a covered entity to implement policies and procedures for authorizing access to e-phi only when such access is appropriate based on the user or recipient's role (role-based access). 16 Workforce Training and Management. A covered entity must provide for appropriate authorization and supervision of workforce members who work with e-phi. 17 A covered entity must train all workforce members regarding its security policies and procedures, 18 and must have and apply appropriate sanctions against workforce members who violate its policies and procedures. 19 Evaluation. A covered entity must perform a periodic assessment of how well its security policies and procedures meet the requirements of the Security Rule. Examples include: New employee training on HIPAA, Monitoring on EMR for login attempts or failures, Policy for disabling users when terminated or password policy www.prnadvisors.com 11 11
Physical Safeguards Facility Access and Control. A covered entity must limit physical access to its facilities while ensuring that authorized access is allowed. Workstation and Device Security. A covered entity must implement policies and procedures to specify proper use of and access to workstations and electronic media. 22 A covered entity also must have in place policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of electronic protected health information (e- PHI). Examples: Can you get to data if you have an issue with site access? Who has access to the building and computers www.prnadvisors.com 12 12
Technical Safeguards Access Control. A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-phi). Example: Do all users have unique user name Audit Controls. A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-phi. Example: Policy or system that reviews failed attempts at logins Integrity Controls. A covered entity must implement policies and procedures to ensure that e-phi is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-phi has not been improperly altered or destroyed. Example: Identify all users on the system who can delete info and review Transmission Security. A covered entity must implement technical security measures that guard against unauthorized access to e-phi that is being transmitted over an electronic network Example: Do you have a firewall or VPN connected that secures where PHI is saved? www.prnadvisors.com 13 13
Impact of Not Complying Possible litigation Potential withholding of federal Medicaid and Medicare funds Penalties Civil monetary for violations of each standard each standard Wrongful disclosure of health information www.prnadvisors.com 14 14
Business Associate Business Associates Person/agency who performs a function or activity for or on behalf of a covered entity that involves the use of PHI Must enter into a Business Associate Agreement or Memorandum of Understanding with a covered entity DHHS agencies have both Internal (within the DHHS agencies have both Internal (within the www.prnadvisors.com 15 15
Who is a Business Associate Examples: Collection Agency Private Attorney Auditing Firm Record Copying Service Recycling Service Messenger or shipping service www.prnadvisors.com 16 16
HIPAA HIPAA regulations around EMR needs to be considered prior, during and after implementation. The last question during Meaningful Use Attestation asks if a risk analysis has been done on your systems. YOU NEED TO HAVE THIS!! HIPAA IT also applies to your current environment that has access to PHI. Internet, Billing, e- prescribe, etc.. www.prnadvisors.com 17 17
Where do I begin? An initial Risk Analysis should be completed that will review entire systems and process around HIPAA Security. (Including BAA s, and all Safeguards) Implement Corrective Actions based on the output of the Analysis to meet HIPAA Required (vs. Addressable) Requirements At least an annual assessment should be done to ensure compliance is in order and to prevent future issues. This is a mandate if your attesting for Meaningful use money. YOU CAN BE AUDITED. Contact apatane@prnadvisors.com for more detail on how to start www.prnadvisors.com 18 18
Open Agenda Q&A www.prnadvisors.com 19 19
CEU Questions 1. Do Providers have to be HIPAA compliant a) Yes b) No 6. Name one of three safeguards? a) 2. Who oversees HIPAA? a) AMA b) FBI c) Office of Civil Rights 7. What year was the HIPAA rule enacted a) 1953 b) 1996 c) 2014 3. What agreement should be in place with vendors who access PHI a) Non Compete b) NDA c) BAA 8. Ho w often should a risk analysis be completed a) Once b) Yearly c) Every 10 years 4. An example of technical safeguard is? a) Auditing of logins b) Windows 7 c) Safe where disks are locked up 9. Name one element or item that is part of PHI a) 5. Does a practice using an EMR need to be HIPAA Compliant? a) Yes b) No 10 List one example of an Administrative safeguard a) www.prnadvisors.com 20 20
CEU Answers A Administrative, Technical or Physical B A C A A SS#, DOB, NAME, ADDRESS A New employee training on HIPAA, Monitoring on EMR for login attempts or failures, Policy for disabling users when terminated or password policy www.prnadvisors.com 21 21