Your SlideShare is downloading. ×
HIPAA Question & Answer Session (September 2013)
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

HIPAA Question & Answer Session (September 2013)

1,221
views

Published on

This is the first in a series of free webinars on HIPAA sponsored and presented by Manage My Practice (Mary Pat Whaley & Abraham Whaley) and Health Security Solutions (Steve Speaman). To see and hear …

This is the first in a series of free webinars on HIPAA sponsored and presented by Manage My Practice (Mary Pat Whaley & Abraham Whaley) and Health Security Solutions (Steve Speaman). To see and hear all webinars, click here for free access: http://info.managemypractice.com/register-for-our-free-hipaa-qa-webinar-replays

Published in: Health & Medicine, Technology

0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,221
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
48
Comments
0
Likes
3
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. 864-200-2419 info@healthsecuritysolutions.com HIPAA Q & A With Steve Spearman & Mary Pat Whaley September 17, 2013
  • 2. 864-200-2419 info@healthsecuritysolutions.com #1:#1: I am not quite sure what to ask, II am not quite sure what to ask, I guess I should start with how is thisguess I should start with how is this going to affect our practice and whatgoing to affect our practice and what changes do I need to be aware of?changes do I need to be aware of?
  • 3. 864-200-2419 info@healthsecuritysolutions.com Today’s QuestionsToday’s Questions • Risk Analysis • Notice of Privacy Practices (NPPs) • Business Associate Agreements (BAAs) • HIPAA Training & Policies/Procedures
  • 4. 864-200-2419 info@healthsecuritysolutions.com Key Provisions of HIPAA OmnibusKey Provisions of HIPAA Omnibus • Breach Notification • BAAs and Subcontractors • Fundraising and Marketing • NPP Changes • Hybrid Entity treatment • Deceased patients • Immunization Records release • Concealment rule
  • 5. 864-200-2419 info@healthsecuritysolutions.com #2:#2: Do you have a suggested or preferredDo you have a suggested or preferred format/method for conducting andformat/method for conducting and documenting a security risk analysis, sincedocumenting a security risk analysis, since the OCR has not specified such? It is truly athe OCR has not specified such? It is truly a large amount of documentation with solarge amount of documentation with so many "moving" parts!many "moving" parts!
  • 6. 864-200-2419 info@healthsecuritysolutions.com How to Conduct aHow to Conduct a Security Risk AnalysisSecurity Risk Analysis • NIST – “Guidance on Risk Assessment (NIST 800-30) – SP 800-66 – Resource Guide for Implementing HIPAA • Audit Protocol – June 2012 • ONC Guide to Privacy and Security of HIT – Myths and Facts (p.11)
  • 7. 864-200-2419 info@healthsecuritysolutions.com Security Risk Analysis Myths and FactsSecurity Risk Analysis Myths and Facts Myths Facts Optional for small providers No. All eligible providers (EP) Installing a certified EHR is enough No. The risk analysis must look at all systems with ePHI. My EHR vendor is handling this No. EPs are solely responsible for the risk analysis. A checklist will suffice No. While useful, they are inadequate. Only needs to look at EHR No. All IT assets processing, storing, accessing ePHI. I must outsource the risk analysis. No. You can conduct this yourself.
  • 8. 864-200-2419 info@healthsecuritysolutions.com Meaningful Use and Risk AnalysisMeaningful Use and Risk Analysis MEANINGFUL USE CRITERIA #12 Provide patients with electronic copy of their health information upon request #13 Provide clinical summaries for patients for each offic # 14 Perform at least one test of certified EHR technica #15 Conduct or review a Security Risk Analysis per 45 CFR Conduct or review a Security Risk Analysis per 45 CFR 164.308 (a)(1) and implement security updates as necessary. Conduct or review a Security Risk Analysis per 45 CFR 164.308 (a)(1) and implement security updates as necessary.
  • 9. 864-200-2419 info@healthsecuritysolutions.com Copier/Scanner Hard DrivesCopier/Scanner Hard Drives Cloud StorageCloud Storage Patient Portal SecurityPatient Portal Security Emailing Records to Patients/Emailing andEmailing Records to Patients/Emailing and Texting With PatientsTexting With Patients Best Encryption MethodBest Encryption Method Employees Working From HomeEmployees Working From Home Related Questions:Related Questions:
  • 10. 864-200-2419 info@healthsecuritysolutions.com Special Offer for Attendees:Special Offer for Attendees: Risk Analysis is the MOST overlooked provision of HIPAA - it is the first HIPAA safeguard and is the last Meaningful Use Core Measure (will you have to give your MU money back?) The RAIAB includes 50-70 page Risk Analysis Report, customized HIPAA security policies, security management plan, and security awareness posters. This is everything a 2-provider/1-location needs! A Great Value at $1,795! Find it in the Manage My Practice store.
  • 11. 864-200-2419 info@healthsecuritysolutions.com #3:#3: What has changed with theWhat has changed with the Notice of Privacy Practices (NPP)?Notice of Privacy Practices (NPP)? Do I update the one I have or startDo I update the one I have or start over with a new one?over with a new one?
  • 12. 864-200-2419 info@healthsecuritysolutions.com Notice of Privacy Practices (NPP)Notice of Privacy Practices (NPP) NPP Changes •Types of uses requiring authorization: – Psychotherapy notes – Those that constitute a sale of PHI – Anything not covered in YOUR NPP •Fundraising right to opt out •Right to restrict disclosure for OOP payments •Right to be notified in the event of a breach
  • 13. 864-200-2419 info@healthsecuritysolutions.com Sign-in SheetsSign-in Sheets Releasing original records vs. all recordsReleasing original records vs. all records Transporting charts in vehiclesTransporting charts in vehicles Allowable/Non-allowable Records ReleaseAllowable/Non-allowable Records Release Mail received by the wrong entityMail received by the wrong entity Verbal permission vs. written permissionVerbal permission vs. written permission Related Questions:Related Questions:
  • 14. 864-200-2419 info@healthsecuritysolutions.com #4:#4: How do I know when I have to haveHow do I know when I have to have a BAA? If I use an EHR vendor that has aa BAA? If I use an EHR vendor that has a 33rdrd party provide part of the service, orparty provide part of the service, or will my BAA with the vendor cover all 3will my BAA with the vendor cover all 3rdrd parties?parties?
  • 15. 864-200-2419 info@healthsecuritysolutions.com Business Associate AgreementsBusiness Associate Agreements • Treatment of subcontractors – Clarifies that they are BAs – BAs must have BAA in place with downstream vendors
  • 16. 864-200-2419 info@healthsecuritysolutions.com Is the provider of off-site storage a BA?Is the provider of off-site storage a BA? Are janitorial staff BAs?Are janitorial staff BAs? Is Care Credit a BA?Is Care Credit a BA? Related Questions:Related Questions:
  • 17. 864-200-2419 info@healthsecuritysolutions.com #5: What type of HIPAA training is#5: What type of HIPAA training is required for new employees and howrequired for new employees and how often is HIPAA retraining required foroften is HIPAA retraining required for all employees?*all employees?* * Covered in more depth next month!
  • 18. 864-200-2419 info@healthsecuritysolutions.com Security Training SafeguardsSecurity Training Safeguards Security Awareness and Training  Security Reminders (A)  Protection from Malicious Software (A)  Log-in Monitoring (A)  Password Management (A)
  • 19. 864-200-2419 info@healthsecuritysolutions.com Is my existing HIPAA manual still usable?Is my existing HIPAA manual still usable? What’s the best way to train employeesWhat’s the best way to train employees on the new rules?on the new rules? What policies need to be put in placeWhat policies need to be put in place and how should employees sign off onand how should employees sign off on them?them? Related Questions:Related Questions:
  • 20. 864-200-2419 info@healthsecuritysolutions.com #6: What are the first steps to#6: What are the first steps to ensuring Best Practices for the HIPAAensuring Best Practices for the HIPAA Omnibus Rules?Omnibus Rules?
  • 21. 864-200-2419 info@healthsecuritysolutions.com Risk Assessment (internal or external)Risk Assessment (internal or external) NPP (sample provided in Action Pack)NPP (sample provided in Action Pack) BAA (sample provided in Action Pack)BAA (sample provided in Action Pack) Training & PoliciesTraining & Policies Action Plan:Action Plan:
  • 22. 864-200-2419 info@healthsecuritysolutions.com October 15th 1:00 – 2:00 p.m. EST Register Here! NextNext FREEFREE HIPAA Webinar:HIPAA Webinar: Mark your calendar today!
  • 23. 864-200-2419 info@healthsecuritysolutions.com Contact Us!Contact Us! Steve Spearman sspearman@healthsecuritysolutions.com 864-200-2419 Mary Pat Whaley marypat@managemypractice.com 919-370-0504 &