HIPAA. What s New & What Do I Have To Do? Presented by Leslie Canham, CDA, RDA, CSP (Certified Speaking Professional)

Similar documents
Compliance Steps for the Final HIPAA Rule

Compliance Steps for the Final HIPAA Rule

HIPAA The Health Insurance Portability and Accountability Act of 1996

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

Management Alert Final HIPAA Regulations Issued

AFTER THE OMNIBUS RULE

HIPAA Compliance Guide

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

HIPAA and Lawyers: Your stakes have just been raised

The Privacy Rule. Health insurance Portability & Accountability Act

HIPAA: Impact on Corporate Compliance

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

HIPAA & The Medical Practice

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

HIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities

Auditing for HIPAA Compliance: Evaluating security and privacy compliance in an organization that provides health insurance benefits to employees

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

SECURITY POLICY 1. Security of Services. 2. Subscriber Security Administration. User Clearance User Authorization User Access Limitations

Safeguarding Your HIPAA and Personal Health Information Data. Robert Hess, Office of General Counsel Steve Cosentino, Stinson Morrison Hecker

2016 Business Associate Workforce Member HIPAA Training Handbook

Determining Whether You Are a Business Associate

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

HIPAA in the Digital Age. Anisa Kelley and Rachel Procopio Maryan Rawls Law Group Fairfax, Virginia

ARE YOU HIP WITH HIPAA?

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

HHS, Office for Civil Rights. IAPP October 11, 2012

HIPAA Business Associate Agreement

Business Associate Risk

The American Recovery Reinvestment Act. and Health Care Reform Puzzle

PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS

HIPAA Basic Training for Health & Welfare Plan Administrators

HEALTHCARE BREACH TRIAGE

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

ICAHN Presentation. Final Omnibus Rule and Security Risk Analysis. July 26, David Ginsberg

Getting a Grip on HIPAA

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

GUIDE TO PATIENT PRIVACY AND SECURITY RULES

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

HIPAA Privacy, Breach, & Security Rules

OMNIBUS RULE ARRIVES

"HIPAA RULES AND COMPLIANCE"

HIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES

BREACH NOTIFICATION POLICY

FACT Business Associate Agreement

Business Associate Agreement

HIPAA Compliance Under the Magnifying Glass

March 29, 2018 Key Principles in HIPAA Compliance

Industry leading Education. Certified Partner Program. Please ask questions Todays slides are available group.

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

Business Associate Agreement Health Insurance Portability and Accountability Act (HIPAA)

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

The HIPAA/HITECH Final Rule: Time to Get More Serious About Compliance. Patricia A. Markus, Esq.

1 Security 101 for Covered Entities

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.

Interim Date: July 21, 2015 Revised: July 1, 2015

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

To: Our Clients and Friends January 25, 2013

HTKT.book Page 1 Monday, July 13, :59 PM HIPAA Tool Kit 2017

HIPAA Final Omnibus Rule Playbook

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT BUSINESS ASSOCIATE TERMS AND CONDITIONS

Regenstrief Center for Healthcare Engineering HIPAA Compliance Policy

HIPAA OMNIBUS FINAL RULE

March 1. HIPAA Privacy Policy

SATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE

HIPAA Privacy Overview

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

Fifth National HIPAA Summit West

LEGAL ISSUES IN HEALTH IT SECURITY

HIPAA BUSINESS ASSOCIATE ADDENDUM

Business Associate Agreement For Protected Healthcare Information

AROC 2015 HIPAA PRIVACY AND SECURITY RULES

BUSINESS ASSOCIATE AGREEMENT

Interpreters Associates Inc. Division of Intérpretes Brasil

Nancy Davis, Ministry Health Care Peg Schmidt, Aurora Health Care Teresa Smithrud, Mercy Health System

Business Associate Agreement

BUSINESS ASSOCIATE AGREEMENT

ALERT. November 20, 2009

503 SURVIVING A HIPAA BREACH INVESTIGATION

Effective Date: 4/3/17

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

HIPAA Data Breach ITPC

Texas Health and Safety Code, Chapter 181 Medical Records Privacy Law, HB 300

The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure

HIPAA COMPLIANCE. for Small & Mid-Size Practices

Highlights of the Omnibus HIPAA/HITECH Final Rule

CROOK COUNTY POLICY AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

The HIPAA Omnibus Rule

IACT Medical Trust. June 28, Jim Hamilton (317) HIPAA Privacy Training Bose McKinney & Evans LLP

ACC Compliance and Ethics Committee Presentation February 19, 2013

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners

Transcription:

HIPAA Infection Control OSHA Dental Practice Act HIPAA What s New & What Do I Have To Do? Presented by Leslie Canham, CDA, RDA, CSP (Certified Speaking Professional) In the dental field since 1972, Leslie helps simplify complex regulations. She provides in office training, compliance audits, consulting, workshops, and mock inspections. For the 6 th year in a row, she has been listed as a Leader In Consulting by Dentistry Today. She is authorized by the Department of Labor, The Academy of General Dentistry, and the California Dental Board to provide continuing education. Leslie is the founder of Leslie Canham and Associates.

HIPAA Top Ten Tips 1. Appoint Your Privacy/Security Official. 2. Re-write your current HIPAA Notice of Privacy Practices. 3. Conduct and document a Risk Assessment. 4. Create new written plans (Office Policies) to demonstrate how your practice will comply with HIPAA regulations. 5. Create Written Logs: Amendment Request Log Disclosures of Patient Information Log Complaint Log Breach Log Security Incident Log Emergency Access Log Maintenance Repair Log Electronic Media and Hardware Movement Log 6. Update your Business Associates Agreements, have each Business Associate sign the new agreement. 7. Understand your Patient's Rights. 8. Conduct Workforce Training. 9. Learn how to prevent breaches and know when you must provide breach notification. 10. Have a Disaster Recovery Plan/Contingency Plans in place. Privacy Official s responsibilities: 1. Develop and implement privacy policies and procedures 2. Receive complaints 3. Provide further information about matters covered in Notice of Privacy Practices 4. Consult with workforce in all privacy matters 5. Document and maintain all pol icies, procedures and actions taken by the practice with regards to the HIPAA Privacy Rule. Retain documentation for six years from the date of its creation or the date w hen it last was in effect, whichever is later. Security Official s responsibilities: 1. Conduct a Risk Assessment to determine if the ephi is vulnerable. 2. Determine if security has been compromised. 3. Conduct employee training on physical and technical security 4. Enforce security policies 5. Maintain Passwords 6. Oversee and audit failed Log-In attempts 7. Install current firewalls and virus protection, secure computers from theft, keep inventory of computer equipment, back up data in a secure location, and set up a disaster recovery plan. Page 1

HIPAA "HIPAA", IS an acronym for the Health Insurance Portability and Accountability Act of 1996. The HIPAA rule includes a section called Administrative Simplification which is composed of four parts: 1. Privacy Rule 2. Standards for Electronic Transactions 3. Unique Identifiers Standards 4. Security Rule Key provisions of the Privacy Rule include: Access to medical records Notice of Privacy Practices Limits on Use of Protected Health Information Confidential Communications Complaints Written Privacy Policies Employee Training Privacy Officer Key provisions of the Security Rule include: 1. Ensure the confidentiality, integrity, and availability of all electronic protected health information (ephi) the Dentist creates, receives, maintains, or transmits. 2. Protect against any reasonably anticipated threats or hazards to the security or integrity of ephi. 3. Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule. 4. Ensure that employees comply with HIPAA. The Security standards require Dentists to protect ephi using these safeguards: Administrative Safeguards Physical Safeguards Technical Safeguards Page 2

The Security Rule Implementation Specifications are standards that are considered either: Required or Addressable Required means must be implemented. Addressable means you determine if the standard is reasonable and appropriate for your practice implement the security specification. If not reasonable and appropriate, implement an alternative that is reasonable and appropriate. If there is no reasonable and appropriate alternative, do nothing except document your decision. The HITECH ACT In 2009, The Health Information Technology for Economic and Clinical Health Act (HITECH Act) provisions were enacted as part of the American Recovery and Reinvestment Act of 2009. The HITECH Act introduced the new Breach Notification Rule. Final Omnibus Rule Issued 1-17-13 Effective 3-26-13 Extends patient privacy and security protections under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Final Rule: Enhances HIPAA enforcement Expands many HIPAA requirements to "business associates" such as contractors and subcontractors that receive protected health information Restricts disclosures to a health plan concerning treatment for which the provider has been paid out of pocket in full. Modifies rules that apply to marketing and fundraising communications and the sale of protected health information. Expands the definition of "health information" to include genetic information. Clarifies when data breaches must be reported to the HHS Office for Civil Rights. HIPAA Final Omnibus Final Deadline 9-23-13 Business Associates Agreements-must be modified, in writing, and signed Notice of Privacy Practices must be revised and re-posted Update workforce training on the Final Rule Page 3

The Security Rule Implementation Specifications are standards that are considered either: Required or Addressable Required means must be implemented. Addressable means you determine if the standard is reasonable and appropriate for your practice implement the security specification. If not reasonable and appropriate, implement an alternative that is reasonable and appropriate. If there is no reasonable and appropriate alternative, do nothing except document your decision. Breach Notification (HITECH ACT) According to the Health and Human Services, Office of Civil Rights (OCR), the definition of a Breach is an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual. There are three exceptions to the definition of a breach. 1. Unintentional Acquisition-meaning access, or use of protected health information by a workforce member acting under the authority of a covered entity or business associate. Business associates are those who have access to a patient s protected health information such as an accountant, attorney, consultant, and computer support technicians. 2. Inadvertent Disclosure-means inadvertent disclosure of protected health information from a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at a covered entity or business associate. In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule. 3. The final exception to the breach applies if the covered entity or business associate has a good faith belief that the unauthorized individual, to whom the impermissible disclosure was made, would not have been able to retain the information. Covered entities must notify individuals whose personal information was breached. A breach is unauthorized access or use of unencrypted, computerized protected health information. Unauthorized access or use of protected health information on paper, film or other non computer medium also constitutes a breach. A breach of protected health information occurs when the information accessed has a person s name in combination with any of the following: Social Security number, or Driver s License or Identification, or Financial Account number, credit or debit card number, or Medical Information, or Health Insurance information Page 4

(Breach Notification Continued) In the event a patient s unsecured protected health information is acquired, accessed, used or disclosed in an unauthorized way, notification must be made. 1. Patients must be notified without delay but no later than 60 days after discovery of the breach. 2. If the breach affects 500 or more patients, it must be reported to the Department of Health and Human Services and in California, the State Attorney General s office 3. If the breach affects 500 or more patients residing in the same area, the breach must be reported to local media and Department of Health and Human Services. 4. If you decide to provide affected individuals with credit monitoring service (optional), Provide the service for no less than 12 months and at the dental practice's expense. 5. Business Associates are now required to notify the dentist if a breach occurs so notifications can be made. Resources: American Dental Association Complete HIPAA Compliance Kit with the training DVD and 3-year Subscription to the HIPAA Compliance Update Service. Go to www.ada.org or call 800-947-4746 to order Online Resources: To utilize an online HIPAA Privacy and Security training games go to: https://www.healthit.gov/providers-professionals/privacy-security-training-games The HIPAA ETool www.thehipaaetool.com 1-800-570-5879 The HIPAA E-Tool is a software program provided in the cloud to help office managers, practitioners, and business associates assess risk and then work toward compliance. For Security Risk Assessment Tools and Tutorials go to: http://www.healthit.gov/providers-professionals/security-risk-assessment For more information visit the United States Department of Health and Human Services website at www.hhs.gov. Page 5

This checklist will help you get started on the path to HIPAA Compliance. Be sure to allow ample time to complete the implementation from your current HIPAA program to the new program. The deadlines have past and the items listed below are required. To streamline the process, many of my clients have me perform the implementation tasks. In two days, I will train your team, complete the tasks below, and provide you with the required documentation, logs, and written plans. Give me a call at 888-853-7543 if you would like my help. ~Leslie To Checklist for Compliance With HIPAA Privacy, Security, Breach Notification, and Omnibus Rule Do Done Identify who will be responsible for tasks. Appoint a Privacy and Security Official Leslie recommendation: Contact the American Dental Association and purchase the Complete HIPAA Compliance Kit with the training DVD and 3-year Subscription to the HIPAA Compliance Update Service. Go to www.ada.org or call 800-947-4746 to order. OR Subscribe to The HIPAA E, an online service www.thehipaaetool.com 1-800-570-5879 Read the HIPAA Compliance Kit and watch the training DVD* ADA Kit Or login to your HIPAA account to start. Conduct a Risk Analysis and document your findings. Some of the items are required and some are addressable. You must take action on the required items, the addressable items are scalable to your practice, be sure to document your action or decision on each item. Review your Risk Analysis and determine where more safeguards are needed Re-write your HIPAA Notice of Privacy Practices to reflect the changes Post your new HIPAA Notice of Privacy Practices (NOPP) in your office and on your practice website. Provide the NOPP to all new patients, get signatures acknowledge receipt of the NOPP Create new written plans to demonstrate how your practice will adhere to HIPAA regulations. These written plans can be created using the HIPAA Kit sample policies Make a list of all your Business Associates Update your Business Associates Agreement to reflect the current regulations and have all of your Business Associates sign the new agreement Understand how to prevent breaches and know when you must provide breach notification Create an Amendment Request Log Create a Disclosures of Patient Information Log Create a Complaint Log Create a Breach Log Create a Security Incident Log Create an Emergency Access Log Create a Maintenance Repair Log Create an Electronic Media and Hardware Movement Log Train your workforce (both clinical and administrative) on the new regulations. Document training. Review all privacy, security, breach notification rules. Create an ongoing reminder program on workforce requirements for security of patient data Page 6

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback