HIPAA & HITECH
Made Easy for
Behavioral Health
Professionals

Marlene M.  Maheu,  Ph. D.

   
  

Executive Director

Te| ...
‘WIW r-lHu'. —r. Ilin. >.Hu

Disclaimer

0 I am an MFT and clinical sychologist,  not an attorney, 
physician or Informati...
Health Insurance
Portability and
Accountability Act
(HIPAA)

Three HIPAA Rules: 
9 Transmission

* Privacy

* Security
HIPAA Privacy Rule

° Data are ’’individually identifiable’’ if they
include any of the 18 types of identifiers if the
pro...
((6 1:1: 'l| .=| “": ‘_E . :I: ;uI| :I ‘__lH'V. _H““l”"

HIPAA Privacy Rule (cont. )

2. Address (all geographic subdivisi...
((6 1:1: 'l| .=| “": ‘_E . :I: ;uI| :I ‘__lH'V. _H““l”"

HIPAA ’’Final Rule”

* When HIPAA was first passed in 1996, most ...
_:  

lntelligently discuss
how HITECH relates
to HIPAA

 

’! 

I
l
l

r “T” “‘"‘"TT”'TT_
‘*‘““‘‘"“'‘I —“   TT" "  ti
'  ...
((6 1:1: 'l| .=| “": ‘_E . :I: ;uI| :I ‘__lH'V. _H““l”"

HIPAA vs.  HITECH

Health Information Technology for Economic and...
/. _:I, : 'l| .=| “": ‘_E . :I: ;IIII: I Mummfinlnu

Breach Reporting Requirements

0 If aware of a potential
breach of pro...
/(6 -I, :'. :'Il.3-"I'll Ivizrauiz ‘__lH'V. _H”“l”"

Insurance Company Disclosures

6 Do not disclose treatment /  _ ‘

in...
/. _:I, : IIl= ‘uf. ‘_5 : I:, IIII: I, ‘__lH'V. _H“'m: "

Client/ Patient Request for Records

* Clients/ patients may ask...
_;  

What makes you a
”covered entity”? 

 

 

’ . -
“‘“t‘"—‘“"'*'“= ~». .:;   ’ “Vii”
.   -  
Ii
/(q   I. III. I.. I.III. ... .I. I
Covered Entity

The term "covered entity" under the HIPAA Privacy Rule refers to three ...
.7. . _ . . E ,7 —: ..

Explain why
encryption is not

 adequate for HIPAA
compliance

I
I

 . _j__~— —- “mi.  7‘ I m  
/1...
HIPAA and Encryption

° HIPAA sets many different types of standards

* Technology does not need to be in compliance
with ...
_: I 

Name 5 little known, 

yet essential changes
to HIPAA and HITECH
as ofJanuary 2013

 

I
l

 

,2” .  ..  ;. _'_' '...
/(6 -I, :'. :'ll. =-“I, -‘.5 = .v1;VIa= z ‘__lH'V. _H”“l”"

HIPAA ’’Final Rule”

~ Infrastructure,  documentation, 
and pr...
HIPAA,  Business Associates & HITECH

- All Business Associates in health
care must sign an agreement
stating their adhere...
-. I.: '.: 'll. =-"': ‘.E Hizmiz ‘__lH'V. _H”“l”"

HIPAA "Final Rule” January 17, 2013

Business associates of covered ent...
‘WIW r-lHu'. —r. llin; .~1u

Business Association Agreements

Remember to update
Business Association 
Agreements (BAAs)

...
/(6 '. I.= -.= -.l= .-y-r. '.5 -Zvinlvuir ‘__m“_W'_>__: "

HIPAA Policies

* Use HIPAA compliant
technologies and
develop ...
Email

Send PHI in unencrypted e-
mail only if the client/ patient
is advised of the risk and still
requests use of email ...
‘“. W‘ r-lHuI—I. Ilin. >.~1u

Unencrypted Email

The new ethical standards released by the
American Counseling Association...
WI"!  r—lHu'. —I. Ilh. ».-In

Policies & Procedures

Implement or update

privacy and security policies gt,  * , 

and pro...
‘l
I

I
I
l

at’

A

I
I

kL, g   § —‘—'

Explain at least 2
warning against Skype
by leading mental
health professional
a...
F‘:  'l| .=| “": ‘_E . :i1;In| :I ‘__"4'M“““l. u!

Skype and Health Privacy

* Free

* AES 265-bit encryption

* Access to...
APA 2014 Skype Statement

Li EMAIL 6 l"KlN I

Home 1 Pracboeupdate » Practicaupdale — Apni 24. 2014 » Practitioner Folnler...
"I. =-. ='. .=. "u. ‘.5 = .v1;VIa= z ‘__m“_H““l_£"

American Psychological Association

1. Practitioners need to have Busi...
II}

HIPAA requires an ”audit trai Skype doesn't
provide audit trails — and isn't obligated to

, ..

4 ‘hi:  ‘ ‘ «E l‘: :...
/(6 -I, :'. :'ll. =-“I, -‘.5 ivizlalil ‘__lH'V. _H”“l”"

HIPPA & Private Practices

From the compliance date to the presen...
F‘:  'l| .=| “": ‘_E . :l1;lq| :z ‘__"4'Y'_M““l. u!

6

Read Skype’s Privacy Policy

Skype may gather and use info about y...
/C G“ "l. :l‘. ".‘. E ': m‘. ,m 1'-"—tl'. -!Al“li. ull3

Skype’s Hackings

. ‘io_-. :-i‘r: i.olii: u:


2')

By Leonas Sen...
ls Skype Reliable? 

Skype tiles &
pixelates,  the audio
gets tinny,  echoes
develop,  and often
calls drop entirely. 
Som...
pg, ii(u, v.i. }[; _x. ~id: iai

~“.0Iiu,0i'iIlr: :rl'r: iiil-31'

     
   

 
    
   

Liii. -ii.  ti trifling

 

‘LL’ ...
l

l
l
l

ii
I

i

 

Name the top US
government website to
reference when needing
HIPAA/ HITECH
information. 

Zjjojjm

....
Ur-‘L ! l’-lfr-. l-uil'—lil- -ll : i—l*-llli 33 : l', llIl'-Jl ~‘1—lr~'1l-‘. —k'~

. |~: ¢. . éifll JF‘fi, )_, ,i-, K~, j‘;...
._;  

Identify more than 60
HIPAA Compliant
alternatives to Skype

 

l

 

l

'h— 1 ——r—

4’ -— —— -- -——~——-4~—-—-~—-—-...
/(6 fI. =-. =-. i.= .-‘um -Zlizllvlil ‘__m“_W'_>__: "

OCPM Step 3 Legal Issues: 
Which Technologies to Use? 

No Guesswor...
/(q   1-—lHu'. .rAll3n. >.~il: 
H| PAA—Comp| iant Video Alternatives

www. te| ehea| th, org[video

; . .1
. “ I -
r.  I i...
Identify at least 3
HIPAA
requirements for
risk assessment
/(6 , i:q:  I. l.= .‘tl. ‘_i . :i: ;uii: i ‘__lH'V. _H““l”"

Risk Assessment & HIPAA

° Conduct regular assessments
— Iden...
Identify at least one
reason that HIPAA
evokes concern
among clinicians with

regard to duty to warn

-——i . —.<»— —  -:73...
/(6 -I? “ “_= '|"""E mum‘ r—lHu'. —Mlin. ».~iu

Confidentiality Risk & HIPAA? 

° HIPAA is not a risk to privacy or confid...
OCPM:  Online Clinical Practice Management

Identify 3 states that
have laws that are

even more stringent
than HIPAA for
...
/(6 , i:q:  I. l.= .‘tl. ‘_§ . :i#; uii: i ‘__lH'V. _M““l”"

State vs.  Federal Law

* Many states have their
own privacy ...
HIPAA

     
       
     
       
     
     
   
   
     
   

U. S. Department of Health & Human Services

HHS. gov

I...
/(6 ma:  I. l.= .‘iI. ‘_§ . :i#; uii: g ‘__lH'V. _M““l”"

State vs.  Federal Law

* Consider obtaining a legal
review of y...
/(6 '. |.= '.3'Il. =.‘iI. ‘.E Ian-Vu: z ‘__m“_W'_>__: "

Notice of Privacy Practices

Update your Notice of Privacy
Practi...
F‘:  'l| .=| “": ‘_E . :i1;In| :I ‘__"4'Y'_M““l. u!

Notice of Privacy Practices (cont. )

Notice of Privacy Practices

* ...
F":  'ii= """i Mal. “ 1‘-ll—iI'. —iAll3I; .'Il! 

Sale of Protected Health information

(PHI)
4* There are additional new
...
Where can you get all
the other needed HIPAA
forms? 

(Your professional association)
/C I? “ 'il. :l‘. ".‘. i ': m‘. ,': i V-ii—il'I-fAi“li. Ui[f

Enforcement

The most common types of I  _

covered entities...
|l. B.Dopartm-Itolflmlthlflumlnlarvlcao

. g0V nIIIpmoIgo-nuanuuaunnnano-0-uuunonu

 

Health Information Privacy

   

.  ....
Discussion? 

  Tele/ Mental Health
Institute,  Inc. 

contact@te| ehea| th. org
www. te| ehea| th. org
Upcoming SlideShare
Loading in …5
×

HIPAA & HITECH Made Easy for Behavioral Health Professionals -- Marlene Maheu

1,070 views
982 views

Published on

HIPAA & HITECH Made Easy for Behavioral Health Professionals
1-Hour Webinar

At the TeleMental Health institute, we have the option for you to earn CEUs while you learn thee updates of HIPAA and HITECH:

For 1 CEU for mental health professionals and nurses, go to this page: for details: http://telehealth.org/hipaa-hitech

Join the innovative group of over 1,200 mental health professionals at the TeleMental Health Institute: www.telehealth.org

Published in: Education, Business, Technology

HIPAA & HITECH Made Easy for Behavioral Health Professionals -- Marlene Maheu

  1. 1. HIPAA & HITECH Made Easy for Behavioral Health Professionals Marlene M. Maheu, Ph. D. Executive Director Te| eMenta| Health Institute a
  2. 2. ‘WIW r-lHu'. —r. Ilin. >.Hu Disclaimer 0 I am an MFT and clinical sychologist, not an attorney, physician or Information echnology specialist. My goal is educational only. The information I resent is my best attempt to bring you timely and re evant in ormation in a rapidly evolving area. I therefore make no warranty, guarantee, or representation as to the accuracy or sufficiency of the information contained in my training. a My goal is to outline the issues and alert ou to what's happening, including legal, ethical and ot er risk management issues. You are encouraged to seek specific advice related to your circumstance from your qualified authorities.
  3. 3. Health Insurance Portability and Accountability Act (HIPAA) Three HIPAA Rules: 9 Transmission * Privacy * Security
  4. 4. HIPAA Privacy Rule ° Data are ’’individually identifiable’’ if they include any of the 18 types of identifiers if the provider or researcher if the information could be used, either alone or in combination with other information, to identify an individual:
  5. 5. ((6 1:1: 'l| .=| “": ‘_E . :I: ;uI| :I ‘__lH'V. _H““l”" HIPAA Privacy Rule (cont. ) 2. Address (all geographic subdivisions smaller than state, including street address, city, county, zip code) 3. All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death and exact age if over 89) 4 Telephone numbers 5. Fax number 6. Email address 7 Social Security number 8 Medical record number 9 Health plan beneficiary number 10. Account number 11. Certificate/ license number 12. Any vehicle or other device serial number 13. Device identifiers or serial numbers 14. Web URL 15. Internet Protocol (IP) address numbers 16. Finger or voice prints 17. Photographic images 18. Any other characteristic that could uniquely identify the individual
  6. 6. ((6 1:1: 'l| .=| “": ‘_E . :I: ;uI| :I ‘__lH'V. _H““l”" HIPAA ’’Final Rule” * When HIPAA was first passed in 1996, most health care practitioners, hospitals and insurance companies scurried to bring themselves into compliance with the new standards. In the face of these final rules, business associates will have to engage in the same process. * HHS is stepping up enforcement efforts. * See Federal Register available online at http: //federaIregister. gov/ a/2013-01073, and on FDsys. gov
  7. 7. _: lntelligently discuss how HITECH relates to HIPAA ’! I l l r “T” “‘"‘"TT”'TT_ ‘*‘““‘‘"“'‘I —“ TT" " ti ' tr Ll‘
  8. 8. ((6 1:1: 'l| .=| “": ‘_E . :I: ;uI| :I ‘__lH'V. _H““l”" HIPAA vs. HITECH Health Information Technology for Economic and Clinical Health (HITECH Act) of 2009: * Applied privacy and security provisions and penalties to business associates * Imposed new breach notification requirements ° Created stricter disclosure requirements, such as: ° Limiting the disclosure of PHI the minimum necessary “I Requiring health care providers to make available an accounting of certain disclosures when made at client/ patient’s request ° Strengthening enforcement procedures and penalties
  9. 9. /. _:I, : 'l| .=| “": ‘_E . :I: ;IIII: I Mummfinlnu Breach Reporting Requirements 0 If aware of a potential breach of protected (E, H , health information: i — Conduct risk assessment “j~ — Mitigate breaches ° Purchase 1 year account 7‘ to Equifax, Transunion or g Experian — Report breach to affected clients, the federal government, and in some cases, the media
  10. 10. /(6 -I, :'. :'Il.3-"I'll Ivizrauiz ‘__lH'V. _H”“l”" Insurance Company Disclosures 6 Do not disclose treatment / _ ‘ information to your client's health insurance ~. ;s carrier if they are paying ’ you out-of-pocket, unless the disclosure is required W by law
  11. 11. /. _:I, : IIl= ‘uf. ‘_5 : I:, IIII: I, ‘__lH'V. _H“'m: " Client/ Patient Request for Records * Clients/ patients may ask for copies of their electronic health records in electronic form and you *5 I must comply ff, “ ‘ s
  12. 12. _; What makes you a ”covered entity”? ’ . - “‘“t‘"—‘“"'*'“= ~». .:; ’ “Vii” . - Ii
  13. 13. /(q I. III. I.. I.III. ... .I. I Covered Entity The term "covered entity" under the HIPAA Privacy Rule refers to three specific groups, including health plans, health care clearinghouses, and health care providers that transmit health information electronically. Providers subject to the Privacy rule include: 0 Doctors, 0 Clinics, 0 Psychologists, 0 Dentists, 0 Chiropractors, 0 Nursing Homes, and, o Pharmacies. http: //www. hrsa. gov/ healthlt/ toolbox/ Health| TAdoptiontoo| box/ Privacyandsecurity/ entityhipaa. html
  14. 14. .7. . _ . . E ,7 —: .. Explain why encryption is not adequate for HIPAA compliance I I . _j__~— —- “mi. 7‘ I m /1‘ 7T 7 3' J; " ‘* —. %. — —— — , _- , i _ *~; .—’s: —: , _ *
  15. 15. HIPAA and Encryption ° HIPAA sets many different types of standards * Technology does not need to be in compliance with those standards * Professionals have to be in compliance with the standards
  16. 16. _: I Name 5 little known, yet essential changes to HIPAA and HITECH as ofJanuary 2013 I l ,2” . .. ;. _'_' ' ’ ’ '_. ;__'_*'_—; "_. __ I_ Z __ __ -7).
  17. 17. /(6 -I, :'. :'ll. =-“I, -‘.5 = .v1;VIa= z ‘__lH'V. _H”“l”" HIPAA ’’Final Rule” ~ Infrastructure, documentation, and procedures for information privacy and it security, and data encryption and disposal will have to be ‘$2 > evaluated and brought into . /2 compliance. _, ... «_fj‘. L Companies need to provide _ formal security training to all W. employees, designate a } security official and implement appropriate business associate contracts with their own subcontractors.
  18. 18. HIPAA, Business Associates & HITECH - All Business Associates in health care must sign an agreement stating their adherence to HIPAA II‘ standards - Transactions - Security 4 - Privacy - True for any service you hire - This requirement is now enforced by the HITECH ACT '7‘
  19. 19. -. I.: '.: 'll. =-"': ‘.E Hizmiz ‘__lH'V. _H”“l”" HIPAA "Final Rule” January 17, 2013 Business associates of covered entities are directly liable for compliance with HIPAA Privacy and Security Rules’ requirements. Includes contractors, subcontractors and business service companies working for health care providers, (e. g., companies providing electronic health records software, teleconferencing, data back-up and storage, billing, transcription and other IT services). ~ Raises the maximum penalty for data breaches from a previous cap of $250,000 to a maximum penalty is $1.5 million per violation.
  20. 20. ‘WIW r-lHu'. —r. llin; .~1u Business Association Agreements Remember to update Business Association Agreements (BAAs) “ Contractors & subcontractors — Billing . ._ W — Data storage ; A — Office admins — Whomever has access
  21. 21. /(6 '. I.= -.= -.l= .-y-r. '.5 -Zvinlvuir ‘__m“_W'_>__: " HIPAA Policies * Use HIPAA compliant technologies and develop written processes — Document policies * Security & privacy policies — Repairs i — Staff training ‘Z — Breach notification, etc.
  22. 22. Email Send PHI in unencrypted e- mail only if the client/ patient is advised of the risk and still requests use of email as a means of transmission
  23. 23. ‘“. W‘ r-lHuI—I. Ilin. >.~1u Unencrypted Email The new ethical standards released by the American Counseling Association (March, 2014) now state that counselors cannot have an initial contact with a potential client in email.
  24. 24. WI"! r—lHu'. —I. Ilh. ».-In Policies & Procedures Implement or update privacy and security policies gt, * , and procedures: ‘ 0 Need policies to be i‘? > written (a paragraph is ok) " T: * Staff education ° Breach procedures — Consult your attorney — 500 or more records 9 notify media
  25. 25. ‘l I I I l at’ A I I kL, g § —‘—' Explain at least 2 warning against Skype by leading mental health professional associations . . , _,_, _;W: :"': "'_*_ Yd:
  26. 26. F‘: 'l| .=| “": ‘_E . :i1;In| :I ‘__"4'M“““l. u! Skype and Health Privacy * Free * AES 265-bit encryption * Access to patient’s environment BUT * Skype makes no claim that its services can be used in a H| PAA—comp| iant manner 6 Skype does not offer a BA Agreement * Cannot verify transmission security 9 Does not provide breach notification r Does not provide technical support 6 Frequently dropped calls — Emergencies? 6» No audit trails
  27. 27. APA 2014 Skype Statement Li EMAIL 6 l"KlN I Home 1 Pracboeupdate » Practicaupdale — Apni 24. 2014 » Practitioner Folnler Does Ihe use of Practice Updlh I April 24, 2014 " l’-5‘ ‘r ‘L 1' 'APAteamawIInMlcmeofI to create mental health Thle new lawn mm on APA Practice omnluclon provides answers Irovn APA ‘mm ""009" ‘SW99 '" Practice atafl to common Inquirtee from members. ‘"9 °"“’°°"“ collaborative education By Legal and Regulatory Aliens stall pmgmm Given the growing use of tedlnology for communication. many practitioners are ' APAISI(ypa In the interested in knowing whether popular options are compatible with Health insurance daaaroom pmyet: ‘Let's Portability and Accountability Not (HIPAA) requirements. Skype. Msoee oeeic leatures Talk Aooul Mental Health‘ are free and easy to use, in one such option of interest to practidng psychologists. . Dwmon ‘B U“. HIPAA does not epeolly the itlnde at leamologlee that covered entities should use for lnleoonflmnclng for board creating. receiving, atotlng or transmitting electrorllc patient health information (ePl-ll). meetlng Under the HIPAA Security Rule. covered entities must conduct lndlvlduel risk assessment: about the technologies (hardware, software, etc. ) they use that store or tlanamlt QPHI. Skype does use enayption. a factor related to HIPAA Secunty Rule compinnce. Even ' “"3 °“°' " M” (279) so. that factor alone does not accommodate HIPAA requirements. ' web Page (201) The use at Skype raises several ooncems related to HIPAA ' Megaznne Article (147) First. liability for failure to comply with HIPAA is now shared equally by covered entities ' Journal (82) and business associates — third parties that provide aervicea to covered entities and . web M, ” (.5) mey have access to PHI. so It is critical tor practitioners to have business associate agreements In place. Yet Skype does not offer oualneee eaeoclate agreements for health we professionals who want to use It for teiehealth purposes. In fact, Mlcroeolt, whim owns Skwfi. did not mention Skype In Ila April 2013 press release announang its updated business 09‘ "'9 3m'u3"° http: //www. apapracticecentra| .or / update/2014/04-24/skype—hipaa. aspx
  28. 28. "I. =-. ='. .=. "u. ‘.5 = .v1;VIa= z ‘__m“_H““l_£" American Psychological Association 1. Practitioners need to have Business Associate’s Agreements, but Skype doesn't offer BAAs 2. Lack of audit controls to monitor who is accessing ePH| 3. Lack of breach notification tools to alert users of unauthorized disclosures or access to ePH|
  29. 29. II} HIPAA requires an ”audit trai Skype doesn't provide audit trails — and isn't obligated to , .. 4 ‘hi: ‘ ‘ «E l‘: : If MN / //V A . J .
  30. 30. /(6 -I, :'. :'ll. =-“I, -‘.5 ivizlalil ‘__lH'V. _H”“l”" HIPPA & Private Practices From the compliance date to the present, the compliance issues investigated most are, compiled cumulatively, in order of frequency: Impermissible uses and disclosures of protected health information; Lack of safeguards of protected health information; Lack of patient access to their protected health information; Uses or disclosures of more than the minimum necessary protected health information; and 5. Lack of administrative safeguards of electronic protected health informatior . ".“’! "!“ The most common types of covered entities that have been required to take corrective action to achieve voluntary compliance are, in order of frequency: Private Practices; General Hospitals; J Outpatient Facilitiesf Health Plans (group health plans and health insurance issuers); and, Pharmacies. . ”‘: ".‘*’N! “ l http: //www. hhs. gov/ ocr/ privacy/ hipaa/ enforcement/ highlights/ index. htm|
  31. 31. F‘: 'l| .=| “": ‘_E . :l1;lq| :z ‘__"4'Y'_M““l. u! 6 Read Skype’s Privacy Policy Skype may gather and use info about you. .. — Identification data (e. g. name, username, address, telephone number, mobile number, email address) — Electronic identification data (e. g. IP addresses, cookies) — List of your contacts and related data — Content of instant messaging communications, VMs, video messages Skype uses its own cookies for a variety of purposes, including to — Provide internal and customer analytics and gain statistics and metrics about our websites Skype’s analytics, ad-serving and affiliate partners may also set and access cookies on your computer Skype will take appropriate organizational and technical measures to protect the personal data and traffic data provided to it or collected by it with due observance of the applicable obligations and exceptions under the relevant legislation
  32. 32. /C G“ "l. :l‘. ".‘. E ': m‘. ,m 1'-"—tl'. -!Al“li. ull3 Skype’s Hackings . ‘io_-. :-i‘r: i.olii: u: 2') By Leonas Sendrauskas on November 14, 2012, [UPDATE:14I11I2012@15:28GMT] Early this moming we were notified of user concerns surrounding the security of the password reset feature on our website. This issue affected some users where multiple Skype accounts were registered to the same email address. We suspended the password reset feature temporarily this morning as a precaution and have made updates to the password reset process today so that it is now working properly. We are reaching out to a small number of users who may have been impacted to assist as necessary. Skype is committed to providing a safe and secure communications experience to our users and we apologize for the inconvenience.
  33. 33. ls Skype Reliable? Skype tiles & pixelates, the audio gets tinny, echoes develop, and often calls drop entirely. Sometimes consumers can see A you and hear you, without your l awareness.
  34. 34. pg, ii(u, v.i. }[; _x. ~id: iai ~“.0Iiu,0i'iIlr: :rl'r: iiil-31' Liii. -ii. ti trifling ‘LL’ in; -ii_‘-. '_-i-lhi‘i"-uii. >' Elan WARNING) SUICIDAL THOUGHTS AND BEHAVIORS Antidepressants increased the risk of suicidal thoughts and behavior in children, adolescents. and young adults in short-term studies. These studies did not show an Telepsychiatry: 111e Perils of Using Skype can make it an fee| MDD can make it all feel oveniiiheiming. ‘ Please suula on nght for imomn: Safety Information Ind lncicatznri if‘ First released in 2003, Skype offers free. worldwide video access to any patientwlth an lntemet Q '. ' “i y 5 Connection, either by mobile device or desktop computer. What it does not offer, however, is a P(‘, ‘ means of communication clearly suitable for clinical services—especia| |y in mental health. { ‘Y 't§§ Accoroklq to estimates reported by groups such as the Institute for Heaithcare Consumerism, " V ‘Q. { telehealth is poised to grow by 55% in 2013 alone, and 6~foId by 2017.‘-2 Wisely or ciiierwise, «El I‘, 3 some ofthis grown. will likely occurvia Skype. Thus, it is prudentto conside". .'ie issues. ,. .‘A_ r WARNWG5 5U'c'DAL THOUGHTS AND BEHAWORS ‘ti: flit A ‘ /7‘ Antidepressants increased the risk of suicidal thou his The Heaiui ; ... ... ... .ce Portability and Accountability Act ’ ‘gp-_. w‘i. EJ'! 9-It Ordinarily, neither federal nor state law is designed to regulate specific proprietary V“ ‘i . entities such as Skype and its competitors. Video-chat platforms were developed for marketing to the general consumer, and notfor health care. The Health and behavior in children, adolescents. and young a ults in short-terni studies. These studies did not show an i Insurance Portability and Accountability Act (HIPAA) holds professionals SEARCHM EDICA RX responsible for conducting their own internal risk assessments regarding their chosen technologies. Before using any equipment the professional should BWW59 "W95 by "3"‘93 require documentation that explicitly promises 'HlPAA compliance’ or ‘HPAA 5 3 5 3 compatibility‘ One couldtake further comfort in a designation ofFederaI Information Processing Standard (FIPS) certification, a standard that may meet 5 -- I V ' ‘:3 i‘- and exceed HPAA standards? .5 » ii 0 HIPAA requires the use of equipmentthat allows for audit trails. According to the American Health Information ManagementAssoclation. audit trails allow Seam" 7°’ “N955 breaches to be traced. ‘ Like other proprietary platforms. Skype makes it 7 7 impossible to conduct approved security audits via audit trails. Skype itself is not
  35. 35. l l l l ii I i Name the top US government website to reference when needing HIPAA/ HITECH information. Zjjojjm . ... . ' . ..—n H ~ . :, T‘ *2 —' ‘’ unis, A . .. .e. .-J. -—; £*w V c - .2».
  36. 36. Ur-‘L ! l’-lfr-. l-uil'—lil- -ll : i—l*-llli 33 : l', llIl'-Jl ~‘1—lr~'1l-‘. —k'~ . |~: ¢. . éifll JF‘fi, )_, ,i-, K~, j‘; ,'_i_i , ';-_, ~._i[; ,', .—}. _i. *_i. ’,'i, -. ,i, i._ V I 3 Search , '.'i'+lIL: ,-‘: ~—I/ u; -7’ : lul'—i'-’f-. *-, -‘T‘-i= ,li-lI- 9 ‘I‘2:- All = |=l: HHS Home| HHS News| About HHS Font Size - + Print Download Reader "~_ Health Information Privacy Office for Civil Rights Civfl Rights Health Information Privacy OCR Home > Health Information Privacy > HIPAA Administrative Simplification Statute and Rules HIPAA Administrative Simplification Statute and Rules “"Jl, lIll| :'l', L“ : Ll}l, ;!; ‘ HIPAA §, ('_ll‘-ill? -,lt§lIL'l _ To improve the efficiency and effectiveness of the health “ U"d°"5ta'_‘d'"9 care system, the Health Insurance Portability and l’ HHS a””°“”°e5 3 “WM """a¢Y Accountability Act of 1995 (HIPAA), Public Law 104-191, jfinal rule that i-i1pA_A included Administrative Simplification provisions that 'mP': me“§-5 3 Administrative required HHS to adopt national standards for electronic "”m_ ? ' ° f h . Sin-1p| ifi¢afion health care transactions and code sets, unique health at ‘3 statute and identifiers, and security. At the same time, Congress C ° Rules recognized that advances in electronic technology could 5tfe”9the" the , erode the privacy of health information. Consequently, P"'Va‘_5V and ggmus Congress incorporated into HIPAA provisions that mandated Sec‘-"“7Y . the adoption of Federal privacy protections for individually F"'°'5e°t'°"‘5 7°’ R I k ' ' " ema "19 identifiable health information. hea“5h_ '”f°"""at'°” statute established under _ HHS published a final Privacy Rule in December 2000, which , HIPAA- P""’a°V R“'e was later modified in August 2002. This Rule set national security Ruie standards for the protection of individually identifiable health information by three types of covered entities: health : ":rf'_: h t, plans, health care clearinghouses, and health care providers R3“: "3 '°" who conduct the standard health care transactions electronically. Compliance with the Privacy Rule was other required as of April 14, 2003 (April 14, 2004, for small Administrative health plans). ¢". '.u~. .I5f1—~l: .. .
  37. 37. ._; Identify more than 60 HIPAA Compliant alternatives to Skype l l 'h— 1 ——r— 4’ -— —— -- -——~——-4~—-—-~—-—- ‘. gr __ __ sat i %——fiV>*: ‘”"¢~. :,‘A ‘“' ‘7%’“"“'
  38. 38. /(6 fI. =-. =-. i.= .-‘um -Zlizllvlil ‘__m“_W'_>__: " OCPM Step 3 Legal Issues: Which Technologies to Use? No Guesswork Needed HWAA Compliant Handoff - any Deviczetasx/ Se! cr,2f‘$€l‘Vtvct-n t . - sweeping _ 9 Work
  39. 39. /(q 1-—lHu'. .rAll3n. >.~il: H| PAA—Comp| iant Video Alternatives www. te| ehea| th, org[video ; . .1 . “ I - r. I ii -. i an. "_ 5 2.2 . l —_KL: _—: 7- ‘
  40. 40. Identify at least 3 HIPAA requirements for risk assessment
  41. 41. /(6 , i:q: I. l.= .‘tl. ‘_i . :i: ;uii: i ‘__lH'V. _H““l”" Risk Assessment & HIPAA ° Conduct regular assessments — Identify all devices used with PHI — Identify potential weakness in security policies, processes and systems — Set & document goals for remediation ° HHS’s Office for Civil Rights and the Office of the National Coordinator for Health IT have released a security risk assessment tool: * http: //www. hea| thit. gov/ providers- professionals/ security—risk—assessment
  42. 42. Identify at least one reason that HIPAA evokes concern among clinicians with regard to duty to warn -——i . —.<»— — -:73. -—_v-—— , ——, , 7. -¢——-, -
  43. 43. /(6 -I? “ “_= '|"""E mum‘ r—lHu'. —Mlin. ».~iu Confidentiality Risk & HIPAA? ° HIPAA is not a risk to privacy or confidentiality standards for mandated reporting. — Privacy is the client/ patient’s right to keep their information from being disseminated. — Confidentiality is our legal duty to protect the client's patient’s privacy. * HIPAA has set a standard for privacy and confidentiality.
  44. 44. OCPM: Online Clinical Practice Management Identify 3 states that have laws that are even more stringent than HIPAA for ,1?-hf‘? -. , -, "3’? ~ — 7?? » We , .. _-. «'za‘-; x=*-r privacyqor securit
  45. 45. /(6 , i:q: I. l.= .‘tl. ‘_§ . :i#; uii: i ‘__lH'V. _M““l”" State vs. Federal Law * Many states have their own privacy laws, which can be more stringent than federal law HIPAA & H ITECH. xi‘; /; . . * Examples are California, Illinois, New York & Texas. ,
  46. 46. HIPAA U. S. Department of Health & Human Services HHS. gov Improving the health, safety, and well-being of America HHS Home| HHS News| About HHS Search 5.‘ OCR 0 All HHS Font Size - + Print Download Reader 1 Health Information Privacy Understanding HIPAA Privacy HIPAA Administrative Simplification Statute and Rules Enforcement Activities R Results How to File a Complaint News Archive Frequently Asked Questions PSQIA xR Home > He_a_| th Informati_on Privacy > Fre_qi. i_ent| _y AsLed Qi. ig_st_ions 11 '37:. :v How do I know if a State law is "more stringent" than the HIPAA Privacy Rule? Answer: In general, a State law is "more stringent" than the HIPAA Privacy Rule if it relates to the privacy of individually identifiable health information and provides greater privacy protections for individuals‘ identifiable health information, or greater rights to individuals with respect to that information, than the Privacy Rule does. See the definition of "more stringent" at 45 C. F.R. 1§Q.2Q2 for the specific criteria. For example, a State law that provides individuals with a right to inspect and obtain a copy of their medical records in a more timely manner than the Privacy Rule is "more stringent" than the Privacy Rule. In the unusual case where a more stringent provision of State law is contrary to a provision of the Privacy Rule, the Privacy Rule provides an exception to preemption for the more stringent provision of State law, and the State law prevails. Where the more stringent State law and Privacy Rule are not contrary, covered entities must comply with both laws. See 45 C. F.R. Part 160, Subpart B, for specific requirements related to preemption of State law. View an unofficial version of the Privacy Rule and the preemption requirements.
  47. 47. /(6 ma: I. l.= .‘iI. ‘_§ . :i#; uii: g ‘__lH'V. _M““l”" State vs. Federal Law * Consider obtaining a legal review of your HIPAA policies, procedures and other documents by your local, informed attorney. Q; A 4-’ * Speak with your professional association's , ethics or legal office.
  48. 48. /(6 '. |.= '.3'Il. =.‘iI. ‘.E Ian-Vu: z ‘__m“_W'_>__: " Notice of Privacy Practices Update your Notice of Privacy Practices: gt, * ° OCR and the Office of the National Coordinator for “F > Health Information T: Technology released a Model Notice of Privacy y Practices, get it here: a http: //www. hhs. gov/ ocr/ priv acy/ hipaa/ modelnotices. htm|
  49. 49. F‘: 'l| .=| “": ‘_E . :i1;In| :I ‘__"4'Y'_M““l. u! Notice of Privacy Practices (cont. ) Notice of Privacy Practices * Make available to existing clients on request X» ° Post on your website P/ 9 Displav in a prominent C‘ " W location in your professional premises * ° Provide copy to all new clients
  50. 50. F": 'ii= """i Mal. “ 1‘-ll—iI'. —iAll3I; .'Il! Sale of Protected Health information (PHI) 4* There are additional new restrictions on marketing T‘ and sale of PHI, which should be included in if practitioners’ HIPAA ‘ M’; policies and procedures ' g and Notice of Privacy Practices, if relevant.
  51. 51. Where can you get all the other needed HIPAA forms? (Your professional association)
  52. 52. /C I? “ 'il. :l‘. ".‘. i ': m‘. ,': i V-ii—il'I-fAi“li. Ui[f Enforcement The most common types of I _ covered entities required ‘ to take corrective action: ‘ * Private Practices ‘ v r 0 General Hospitals ~ I * Outpatient Facilities , _ p ‘(L If“? * Health Plans (group health A "““[ J“ plans and health insurance issuers) and ° Pharmacies http: //www. hhs. gov/ ocr/ privacy/ hipaa/ enforcement/ highlights/ inde x. htm|
  53. 53. |l. B.Dopartm-Itolflmlthlflumlnlarvlcao . g0V nIIIpmoIgo-nuanuuaunnnano-0-uuunonu Health Information Privacy . . V ) Office for Clvl nights I (‘NI mg In Mei: Inlovmofina Fnvacy , I . I . A , . . I ‘ , I _ Cue Examples and Resolution Agreements an tuvnplu mun . Vina an-noun new new covnson ormuai ta-I -tr-uiww cnmpvy I. IIIvI ma mq. ..»nnm~a. s at on I-many ’ ' ‘ > I l, *'~¢-r‘'-*H "5 WV” and $I(uvIly Inlet >uIIoaII. .uy, an «pun um ooun mm taco cumulus of ma mu-I. iIn auimu uval ’ ' ‘ ' ' "”" out uuI. I.I. [urn can -u ammo: uIIu. .qn our uI«aI¢. IvIII~II grim. ’ ' " I ‘ I I I I I I I FAA ; .sIII. rI MrI"I: a1|I'l sI. I I. .. I.4 n. .I. . can Example: 2 iuFtK‘VIlr'( ; I.; I.III. . n I4.. . n. n. . n. -I. II. .III - E. . . I :4.. . 41». .. : L‘ , ‘ ~‘ ' ' I . II. ... . . g I ( -4 7 Resolution Agreements unauu. -In II. nun [CIVrIdliV">V nonunion Agnomonn um clul honey Donovan -A rgguuxxon aqreemarit I9 - com-u alpaca Dr Hus um I: «Iv-Ims entity -1| I. >IIcrI the cauereu anuw arees to neflb-'75 Ct"VJI-'| ooligniom (e g . sun tmmmg) can make reports lo mas, uervamiy For a nation at me: was own: the neuoa, >045 mowers we uwuaa ematvs uynpunce aim at: oixlgazlons A vcsoiwon JQVEQMEVIK mvrw Iwoum Incmde mu oovmeru or a reso-uuon -n-ounz men anvcemenu are «curved to “we Imnuqnouns wan mom inflow! wiznmeo. V00:-V was run not neon able In Iucn ll nwdacmry ltlfliullnfi through In Lovlvnd an. In's a«nooInInuu cIzvI-Iumm or coil! -LLIVI (non Inruugn Iurm IIWDINIII mum, cwll menu or-Iums (cum) --y no Immna Var rIon¢IwpII. nm Against - my-Ian mmy. To nu. ms: nu cm. -ion mm 21 Itsoluhon aomcmenu Mo msuod cram m on: (ovnvcd uvury Maul 5:-mu g -a. .I. LI. ..“-. ... -I IIIIIM. .. I n. ... II. Now II. - I. . cu»-I. .I. II«I Ag‘-~»; ~:_-ouvvnlu I~Ag-an, ago "LA. L;: v; 'r_-152.2-"J -Au-1In, 'auu r«~. .«-, r'l. P‘lVI": III I. I- up: -: .;I ‘i‘Ifi: I"VJ I; amalgam CL‘U‘i1I: "'. "i . »I: LcI u. .v. .-‘ax’. .-5.. ': '«LI~m_~r. II. ~. z-(rev I , «’~vII>II. IIIII»-nu‘ I~. >'r~III -~"~III1jMI- I. _:_, .fi. 'uigg; ;, - _. '::1:. ~_uE‘_I_-. £I~: J. u;: L._'- “JLJQ -Inn: -our 1'7. In: t . I . . rNu—rI. :<Iy_c. :1-v. ) Lzr. 3.; -32 - was at. we . . . ~ 1 . . . 2.63: I, VD ». I I_, I Q) : ..'. ;;. uuI. »t_(n. _'. :' ' ' *<" *4 *. .:: I:s -lpl t_: .I_nxl«
  54. 54. Discussion? Tele/ Mental Health Institute, Inc. contact@te| ehea| th. org www. te| ehea| th. org

×