HIPAA Compliance Guide

Similar documents
ARE YOU HIP WITH HIPAA?

1 Security 101 for Covered Entities

DELHAIZE AMERICA PHARMACIES AND WELFARE BENEFIT PLAN HIPAA SECURITY POLICY (9/1/2016 VERSION)

Auditing for HIPAA Compliance: Evaluating security and privacy compliance in an organization that provides health insurance benefits to employees

HIPAA PRIVACY AND SECURITY AWARENESS

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

HIPAA COMPLIANCE. for Small & Mid-Size Practices

HIPAA Privacy, Breach, & Security Rules

HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014.

Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation

"HIPAA RULES AND COMPLIANCE"

HIPAA Redux 2013 Kim Cavitt, AuD Audiology Resources, Inc. Expert e-seminar 4/29/2013. HIPAA Redux Presented by: Kim Cavitt, AuD

HIPAA Security. ible. isions. Requirements, and their implementation. reader has

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

HIPAA AND YOU 2017 G E R A L D E MELTZER, MD MSHA

HIPAA Privacy & Security. Transportation Providers 2017

Regenstrief Center for Healthcare Engineering HIPAA Compliance Policy

HIPAA The Health Insurance Portability and Accountability Act of 1996

Determining Whether You Are a Business Associate

HIPAA Security How secure and compliant are you from this 5 letter word?

LEGAL ISSUES IN HEALTH IT SECURITY

HIPAA Privacy Rule Policies and Procedures

HIPAA AND ONLINE BACKUP WHAT YOU NEED TO KNOW ABOUT

Managing Information Privacy & Security in Healthcare. The HIPAA Security Rule in Plain English 1. By Kristen Sostrom and Jeff Collmann Ph.

HIPAA and Lawyers: Your stakes have just been raised

North Shore LIJ Health System, Inc. Facility Name. CATEGORY: Effective Date: 8/15/13

HIPAA Background and History

HIPAA in the Digital Age. Anisa Kelley and Rachel Procopio Maryan Rawls Law Group Fairfax, Virginia

HIPAA: Impact on Corporate Compliance

GUIDANCE ON HIPAA & CLOUD COMPUTING

The Privacy Rule. Health insurance Portability & Accountability Act

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)

OMNIBUS COMPLIANT BUSINESS ASSOCIATE AGREEMENT RECITALS

AMA Practice Management Center, What you need to know about the new health privacy and security requirements

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

HIPAA. What s New & What Do I Have To Do? Presented by Leslie Canham, CDA, RDA, CSP (Certified Speaking Professional)

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Key Legal Issues in EMR, EMR Subsidy and HIPAA and Privacy Click Issues to edit Master title style

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

HTKT.book Page 1 Monday, July 13, :59 PM HIPAA Tool Kit 2017

2016 Business Associate Workforce Member HIPAA Training Handbook

6/7/2018. HIPAA Compliance Simplified. HHS Wall of Shame. Marc Haskelson, President Compliancy Group

Meaningful Use Requirement for HIPAA Security Risk Assessment

HIPAA Privacy and Security for Employers in the Age of Common Data Breaches. April 30, 2015

Title: HP-53 Use and Disclosure of Protected Health Information for Purposes of Research. Department: Research

Texas Tech University Health Sciences Center HIPAA Privacy Policies

University of California Group Health and Welfare Benefit Plans HIPAA Privacy Rule Policies and Procedures (Interim)

Industry leading Education. Certified Partner Program. Please ask questions Todays slides are available group.

HIPAA Service Description

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

HIPAA COMPLIANCE PLAN FOR OHIO EYE ASSOCIATES, INC.

Effective Date: 08/2013

AFTER THE OMNIBUS RULE

HIPAA Overview Health Insurance Portability and Accountability Act. Premier Senior Marketing, Inc

HEALTHCARE BREACH TRIAGE

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

Eastern Iowa Mental Health and Disability Services. HIPAA Policies and Procedures Manual

Ensuring HIPAA Compliance When Transmitting PHI Via Patient Portals, and Texting

Texas Tech University Health Sciences Center El Paso HIPAA Privacy Policies

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

March 1. HIPAA Privacy Policy

CROOK COUNTY POLICY AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF

HIPAA & The Medical Practice

HIPAA, Privacy, and Security Oh My!

HIPAA Compliance Under the Magnifying Glass

Effective Date: 4/3/17

Limited Data Set Data Use Agreement For Research

HIPAA Basic Training for Health & Welfare Plan Administrators

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

HHS, Office for Civil Rights. IAPP October 11, 2012

Getting a Grip on HIPAA

To: Our Clients and Friends January 25, 2013

Texas Health and Safety Code, Chapter 181 Medical Records Privacy Law, HB 300

It s as AWESOME as You Think It Is!

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

H 7789 S T A T E O F R H O D E I S L A N D

HIPAA Privacy Overview

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

HIPAA 102a. Presented by Jack Kolk President ACR 2 Solutions, Inc.

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

HIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES

Highlights of the Omnibus HIPAA/HITECH Final Rule

The Audits are coming!

PRIVACY AND SECURITY GUIDELINES

Upper Bay Counseling & Support Services, Inc. (Administration)

Project Number Application D-2 Page 1 of 8

Chesapeake Regional Information System for Our Patients, Inc. ( CRISP ) HIE Participation Agreement (HIE and Direct Service)

HIPAA Compliance for Business Associates ISBA Health Law Symposium October 10, 2017

4/15/2016. What we strive for. Reality

Management Alert Final HIPAA Regulations Issued

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

AGREEMENT PURSUANT TO THE TERMS OF HIPAA ; HITECH ; and FIPA (Business Associate Agreement) (Revised August 2015)

Transcription:

This document provides an overview of the Health Insurance Portability and Accountability Act (HIPAA) compliance requirements. It covers the relevant legislation, required procedures, and ways that your business can achieve compliance. Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care providers that transmit health information electronically. Business Associate (BAs) A person or organization that conducts business with the covered entity that involves the use or disclosure of individually identifiable health information. Electronic Medical Records (EMRs) Digital versions of the paper charts in a clinician s office. An EMR contains the medical and treatment history of the patients in one practice. Electronic Health Records (EHRs) EHRs focus on the total health of the patient - going beyond standard clinical data collected in the provider s office and inclusive of a broader view on a patient s care. EHRs are designed to reach out beyond the health organization that originally collects and compiles the information. They are built to share information with other health care providers, such as laboratories and specialists, so they contain information from all the clinicians involved in the patient s care. Medical Practice Management Software (PMS) A category of Healthcare Software that deals with the dayto-day operations of a medical practice. Such software frequently allows users to capture patient demographics, schedule appointments, maintain lists of insurance payers, perform billing tasks, and generate reports. Subcontractor A person or organization to whom a business associate delegates a function, activity, or services, other than in the capacity of a member of the workforce of such business associate. Techvera.com 1

HIPAA The United States requirements for securely managing Information Systems in Health Care are substantially governed by federal regulations, specifically HIPAA. The detailed requirements and responsibilities are covered by the HIPAA Omnibus Rule, which was revised in 2013. Initially, these regulations for safeguarding health information applied primarily to health care delivery providers and insurers known as covered entities. However, the 2013 additions to the HIPAA Omnibus rule require that business associates of these covered entities must now also be HIPAA compliant. All existing and new business associates must achieve compliance by September 23rd, 2013. The data covered under this requirement is known as Protected Health Information (PHI). The new HIPAA rules specifically define cloud service providers (CSPs) as business associates:... document storage companies maintaining protected health information on behalf of covered entities are considered business associates, regardless of whether they actually view the information they hold. Thus MSPs and VARs of cloud based services and products are also business associates and must also achieve HIPAA compliance. While health care demand for information technology and especially secure storage is vast, MSPs and VARs must have a clear strategy and plans for reducing potential liability. Techvera.com 2

Electronic Protected Health Information (ephi) Any information about health status, provision of health care, or payment for health care that can be linked to a specific individual. This is interpreted rather broadly and includes any part of a patient s medical record or payment history. Under HIPAA, PHI that is linked based on the following list of 18 identifiers must be treated with special care: Names Dates Geographic Identifiers Social Security Numbers Health Insurance Beneficiary Numbers Face Numbers Phone Numbers Email Addresses Medical Record Numbers Account Numbers Certificate/License Numbers Vehicle Identifiers & Serial Numbers Device Identifiers & Serial Numbers Web Uniform Resource Locators (URLs) Internet Protocol (IP) Address Numbers Biometric Identifiers Unique Numbers, Characteristics, or Codes Full-face Photographic Images The new HIPAA rules specifically define cloud service providers (CSPs) as business associates:...document storage companies maintaining protected health information on behalf of covered entities are considered business associates, regardless of whether they actually view the information they hold. Techvera.com 3

HITECH Act Covered entities are liable under the final rule for violations resulting from the acts or omissions of a business associate if that business associate is an agent of the covered entity and the business associate is acting within the scope of the agency arrangement. If the business associate is not acting within the scope of that agency arrangement, the business associate is therefore liable. A business associate is liable for violations resulting from the acts or omissions of a subcontractor if that subcontractor is an agent of the business associate and the subcontractor is acting within the scope of that agency arrangement. Business associates must comply with the final rule beginning September 23, 2013. However, there is a special one-year transition period for implementing business associate agreements that comply with the final rule. Business associates must comply with the final rule beginning September 23, 2013. Civil penalties for willful neglect are increased under the HITECH Act. These penalties can extend up to $250,000, with repeat/uncorrected violations extending up to $1.5 million. HIPAA Omnibus Rule Business associates now include any of the following types of entities: A health information organization, e-prescribing gateway, or any other entity that provides data transmission services to a covered entity and requires access on a routine basis to PHI. An entity that offers a personal health record on behalf of a covered entity. However, if the personal health record is not offered on behalf of a covered Techvera.com 4

entity, then the personal health record vendor is not a business associate. A subcontractor of a covered entity as well as any subcontractor of a business associate, if the subcontractor accesses PHI of the covered entity. An individual who creates, receives, maintains, or transmits PHI on behalf of a covered entity. This rule change also includes subcontractors of business associates and requires the Covered Entity s (CE s) Business Associates to enter into Business Associate Agreements (BAA s) with their own subcontractors who will receive, create, or transmit PHI on their behalf. HIPAA Safeguards Under HIPAA, all covered entities and business associates must secure health information data under a prescribed controls framework that provides adequate safeguards for physical facilities, administrative requirements (e.g. adequate security policies), and technician infrastructure. MSPs and VARs must have a clear strategy and plans for reducing potential liability. While health care demand for information technology and especially secure storage is vast, MSPs and VARs must have a clear strategy and plans for reducing potential liability. Steps that need to be taken include: Ensuring the confidentiality, integrity, and availability of all electronic PHI (ephi) they create, receive, maintain, or transmit. Identifying and protecting against reasonably anticipated threats to the security or integrity of the information. Protecting against reasonably anticipated, Techvera.com 5

impermissible uses or disclosures. Ensuring compliance by internal workforce and subcontractors. If MSPs are handling or have access to unencrypted ephi they must also conduct a security risk analysis process to include the following activities: Evaluating the likelihood and impact of potential risks to ephi. Implementing appropriate security measures to address the risks identified in the risk analysis. Documenting the chosen security measures and the rationale for adopting those measures. Maintaining continuous, reasonable, and appropriate security protections. This risk analysis should be an ongoing process where it reviews its records to track access to ephi and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potentials risks to ephi. EHRs are designed to reach out beyond the health organization that originally collects and compiles the information. The following sections provide a more in depth scope of the administrative, physical, and technician safeguard requirements needed to be met to protect MSPs, VARs, from liability. Use the checklists to see if your organization meets the necessary standards. Administrative Administrative actions, policies, and procedures to manage the selection, development, implementations, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the Techvera.com 6

covered entity s workforce in relation to the protections of that information. Risk Analysis: Perform and document a risk analysis to see where PHI is being used and stored, to determine which ways HIPAA may be violated. Risk Management: Implement measures sufficient to reduce these risks to an appropriate level. Sanction Policy: Implement sanction policies for employees who fail to comply. Information Systems Activity Reviews: Regularly review system activity, logs, audit trails, etc. Officers: Designate HIPAA Security and Privacy Officers. Employee Procedures: Implement procedures to authorize and supervise employees who work with PHI, and for granting and removing PHI access to employees. Business Associate and Subcontractor Agreements: Have special contracts with business partners who will have access to PHI to ensure that they will be compliant. Organization: Ensure that PHI is not accessed by parent or partner organizations or subcontractors that are not authorized for access. ephi Access: Implement procedures for granting access to ephi, programs which document access to ephi, and/or to services and systems which grant access to ephi. Security Reminders: Periodically send updates and reminders of security and privacy policies to employees. Techvera.com 7

Protection Against Malware: Have procedures for guarding against, detecting, and reporting malicious software. Password Management: Ensure there are procedures for creating, changing, and protecting passwords. Login Monitoring: Institute monitoring of logins to systems and reporting of discrepancies. Reporting: Identify, document, and respond to security incidents. Contingency Plans: Ensure there are accessible backups of ephi and that there are procedures for restoring any lost data. Contingency Plan Updates and Analysis: Have procedures for periodic testing and revision of contingency plans. Assess the relative criticality of specific applications and data in support of other contingency plan components. Emergency Mode: Establish procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. Physical Physical measures, policies, and procedures to protect a covered entity s electronic information systems, and related building and equipment, from natural and environmental hazards, and unauthorized intrusion. Contingency Operations: Establish procedures that Techvera.com 8

allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency. Maintenance Records: Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security. Facility Security: Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft. Access Control: Implement procedures to control and validate a person s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision. Workstations: Implement policies governing what software can/must be run and how it should be configured on systems that provide access to ephi. Safeguard all workstations providing access to ephi and restrict access to unauthorized users. Media Movement: Record movements of hardware and media associated with ephi storage. Create retrievable, exact copies of electronic protected health information when needed before movement of equipment. Devices and Media Disposal and Re-use: Create procedures for the secure final disposal of media that contain ephi and for the reuse of devices and media that could have been used for ephi. Techvera.com 9

Technical The technology and the policy and procedures for its use that protect electronic protected health information and control access to it. Unique User Identification: Assign a unique name and/or number for identifying and tracking user identity. Authentication: Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. Automatic Log-off: Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. Encryption and Decryption: Implement a mechanism to encrypt and decrypt electronic protected health information when deemed appropriate. Emergency Access: Establish procedures for obtaining necessary electronic protected health information during an emergency. Audit Controls: Implement hardware, software, and/ or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. Transmission Security: Implement technical security measures to guard against unauthorized access to electronic protected health information that is transmitted over an electronic communications network. ephi Integrity: Implement policies and procedures to protect electronic protected information from improper alteration or destruction. Techvera.com 10

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback