• Save
PanoMed HIPAA Omnibus Compendium
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

PanoMed HIPAA Omnibus Compendium

on

  • 485 views

A presentation by PanoMED for AsisteMed Corp. looking into changes introduced by the Omnibus Final Rule, Privacy and Security requirements, and how management and training are critical components of ...

A presentation by PanoMED for AsisteMed Corp. looking into changes introduced by the Omnibus Final Rule, Privacy and Security requirements, and how management and training are critical components of any compliance strategy.

Statistics

Views

Total Views
485
Views on SlideShare
485
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as OpenOffice

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

PanoMed HIPAA Omnibus Compendium Presentation Transcript

  • 1. REGULATORY COMPLIANCE SEMINAR SERIES HIPAA OMNIBUS COMPENDIUM Presenter: Omar E. Vazquez, CHTS Health IT & HIPAA Consultant Panotech Consulting & Services Group http://pr.linkedin.com/in/OmarVR HIPAA OMNIBUS 2013
  • 2. HIPAA OMNIBUS 2013 Disclaimer © Panotech Consulting & Services Group 2013. All rights reserved. The Fine Print The material in this presentation has been prepared by Panotech Consulting & Services Group as an educational tool that is general in nature and current as at the date of preparation. Information is given in summary form and does not purport to be complete. It is not intended to be an exhaustive review of the Health Insurance Portability and Accountability Act (HIPAA) and is not intended to provide legal advice and/or to cover all laws that apply to your practice. Materials presented in this presentation should not be considered a substitute for actual statutory or regulatory language. Always refer to the current edition of a referenced statute, code, standard, guideline, regulation, and/or publication for precise language. Panotech Group does not guarantee the accuracy of the data included in this presentation and accepts no responsibility for any consequences of their use. If you need advice regarding a specific legal or ethical matter, you are encouraged to consult with a competent attorney who could provide you proper legal advice. *Edit The slides in this presentation were prepared as talking points. It is possible that key substantive elements were delivered orally during presentation and are not present on the slides. Questions regarding content should be directed to the author.
  • 3. HIPAA OMNIBUS 2013 Content © Panotech Consulting & Services Group 2013. All rights reserved. 1. Changes Introduced by the Omnibus Rule 2. Overview of Privacy and Security Requirements 3. Roadblocks to Compliance 4. How to Achieve Compliance 5. Q&A Session
  • 4. HIPAA OMNIBUS 2013 What Is Changed? © Panotech Consulting & Services Group 2013. All rights reserved. Health Insurance Portability And Accountability Act - Timeline ● Enacted in 1996 ● Amended in December 29 2000 to Include the Privacy Rule ● Amended in February 20, 2003 to include the Security Rule ● Amended in February 16, 2006 to include the Enforcement Rule ● Amended in August 24, 2009 to include HITECH Act provisions (Interim Final Rule) ● Amended in January 26, 2013 to incorporate the Omnibus provisions (Final Rule) ● September 23rd, 2013 – Final date for compliance with the Final Rule
  • 5. HIPAA OMNIBUS 2013 What Is Changed? © Panotech Consulting & Services Group 2013. All rights reserved. What's The Final (Omnibus) Rule? ● Federal Register Vol. 78 No. 17 Part 2 - January 25, 2013 ● Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules.
  • 6. HIPAA OMNIBUS 2013 What Is Changed? © Panotech Consulting & Services Group 2013. All rights reserved. Summary Of Changes Introduced By The Omnibus Rule The omnibus final rule is comprised of the following four final rules: 1. Final modifications to the HIPAA Privacy, Security, and Enforcement Rules mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act, and certain other modifications to improve the Rules. ● Make business associates of covered entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules’ requirements. ● Strengthen the limitations on the use and disclosure of protected health information for marketing and fund raising purposes, and prohibit the sale of protected health information without individual authorization. ● Expand individuals’ rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full.
  • 7. HIPAA OMNIBUS 2013 What Is Changed? © Panotech Consulting & Services Group 2013. All rights reserved. Summary Of Changes Introduced By The Omnibus Rule (cont.) ● Require modifications to, and redistribution of, a covered entity’s notice of privacy practices. ● Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others. ● Adopt the additional HITECH Act enhancements to the Enforcement Rule not previously adopted in the October 30, 2009, interim final rule, such as the provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect.
  • 8. HIPAA OMNIBUS 2013 What Is Changed? © Panotech Consulting & Services Group 2013. All rights reserved. Summary Of Changes Introduced By The Omnibus Rule (cont.) 2. Final rule adopting changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act, originally published as an interim final rule on October 30, 2009. 3. Final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act, which replaces the breach notification rule’s ‘‘harm’’ threshold with a more objective standard and supplants an interim final rule published on August 24, 2009. 4. Final rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes, which was published as a proposed rule on October 7, 2009.
  • 9. HIPAA OMNIBUS 2013 What Is HIPAA? © Panotech Consulting & Services Group 2013. All rights reserved. Health Insurance Portability & Accountability Act (HIPAA) Components ● Definitions ● General provisions ● Enforcement Rule ● Privacy Rule ● Security Rule ● Notification Rule
  • 10. HIPAA OMNIBUS 2013 What Is HIPAA? © Panotech Consulting & Services Group 2013. All rights reserved. Important Definitions ● Covered Entity (C.E.) – Health plan, clearinghouse, or other person or organization who furnishes, bills, or is paid for health care in the normal course of business and transmits any health information in electronic form. ● Business Associate (B.A.) – Any individual or entity who creates, receives, maintains, stores, or transmits protected health information (PHI) for, or on behalf of a covered entity even if they do not actually view the protected health information; and/or where the provision of the service involves the disclosure of protected health information. Is not part of the covered entity's workforce. ● Disclosure – Means the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information. ● Protected Health Information (PHI) - Means individually identifiable health information transmitted by electronic media, maintained in electronic media, and transmitted or maintained in any other form or medium.
  • 11. HIPAA OMNIBUS 2013 What Is HIPAA? © Panotech Consulting & Services Group 2013. All rights reserved. Important Definitions (cont.) ● Reasonable cause – Means an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect. ● Reasonable diligence – means the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances. ● Willful neglect – means conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated. ● Breach – Means the acquisition, access, use, or disclosure of protected health information in a manner which compromises the security or privacy of such information. A breach is presumed unless the C.E. or B.A. demonstrates that there is a low probability that the protected health information has been compromised (“Guilty until proven innocent”).
  • 12. HIPAA OMNIBUS 2013 What Is HIPAA? © Panotech Consulting & Services Group 2013. All rights reserved. Important Definitions (cont.) ● Unsecured Protected Health Information – means protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology in compliance with the Security Rule. ● Marketing – A communication about a product or service that encourages recipients of the communication to purchase or use the product or service.
  • 13. HIPAA OMNIBUS 2013 What Is HIPAA? © Panotech Consulting & Services Group 2013. All rights reserved. Understanding HIPAA Rules and Provisions ● Policies – Provides guidance about expected behavior. Outline consequences when they aren't met. HIPAA sets forth, and is based on policies ● Standards – Means a rule, condition, or requirement derived from policies. Deals with specific aspects or issues. Provide enough detail that an audit can be performed to determine if the standard is being met. HIPAA defines standards that must be met. ● Guidelines – Help implement and maintain standards by providing information on how to accomplish the policies and maintain the standards. HIPAA does not include guidelines; it sets forth Implementation Specifications that should be referenced from such entities as the National Institute for Standards and Technology (NIST). For example, NIST Special Publication 800-66.
  • 14. HIPAA OMNIBUS 2013 What Is HIPAA? © Panotech Consulting & Services Group 2013. All rights reserved. Understanding HIPAA Rules and Provisions – Chain of Causality Policies Standards Safeguards Guidelines Audits HIPAA Implementation Specifications e.g. NIST Guidelines, etc.
  • 15. HIPAA OMNIBUS 2013 What Is Required? © Panotech Consulting & Services Group 2013. All rights reserved. The HIPAA Privacy Rule 1.Focuses on the safeguarding of individual's right to privacy. 2.The Privacy Rule establishes minimum Federal standards for protecting the privacy of individually identifiable health information. 3.Applies to PHI in any form.
  • 16. HIPAA OMNIBUS 2013 What Is Required? © Panotech Consulting & Services Group 2013. All rights reserved. The HIPAA Privacy Rule The Privacy Rule regulates what information is protected, and how protected health information can be used and disclosed. ● Covered entities must disclose PHI to the patient or personal representative within 30 days upon request. ● C.E. must disclose PHI when required to do so by law. (i.e. reporting suspected child abuse to state child welfare agencies). ● A covered entity may disclose PHI to facilitate treatment, payment, or health care operations (T.P.O.) without a patient's express written authorization. ● All other disclosures of PHI require the C.E. to obtain advanced written authorization from the individual.
  • 17. HIPAA OMNIBUS 2013 What Is Required? © Panotech Consulting & Services Group 2013. All rights reserved. The HIPAA Privacy Rule (cont.) ● Minimum necessary: When using or disclosing protected health information must make reasonable efforts to limit protected health information to the absolute minimum necessary to accomplish the intended purpose of the use, disclosure, or request. ● The Privacy Rule gives individuals the right to request that a C.E. correct any inaccurate PHI ● Requires covered entities to take reasonable steps to ensure the confidentiality of communications with individuals. ● Requires covered entities to notify individuals of uses of their PHI. ● C.E. must also keep track of disclosures of PHI and document privacy policies and procedures.
  • 18. HIPAA OMNIBUS 2013 What Is Required? © Panotech Consulting & Services Group 2013. All rights reserved. The HIPAA Privacy Rule (cont.) ● A Privacy Official must be appointed, responsible for receiving complaints and train all members of the workforce in privacy and security procedures regarding PHI. ● An individual or employee who believes that the Privacy Rule is not being upheld can file a complaint with the Department of Health and Human Services Office for Civil Rights (OCR). ● A C.E. must comply with the requirements of the Privacy Rule with regard to the protected health information of a deceased individual for a period of 50 years following the date of death. ● C.E.s are permitted to disclose a decedent’s information to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the covered entity.
  • 19. HIPAA OMNIBUS 2013 What Is Required? © Panotech Consulting & Services Group 2013. All rights reserved. The HIPAA Privacy Rule (cont.) ● Personal representatives: not the same as emergency contact. ● A contract between the covered entity and a business associate must establish the permitted and required uses and disclosures of protected health information by the business associate. ● A B.A. must use appropriate safeguards with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract. ● Special attention should be given to situations involving PHI related to emancipated and unemancipated minors. ● PHI may be used and disclosed for research with an individual's written permission in the form of an Authorization.
  • 20. HIPAA OMNIBUS 2013 What Is Required? © Panotech Consulting & Services Group 2013. All rights reserved. The HIPAA Notification Rule The Breach Notification Rule requires physicians and other covered entities to notify patients, and the HHS if a breach of unsecured PHI occurs. If the breach involves more than 500 individuals, the media should be notified too. The Breach Notification Rule also requires physician practices and their B.A.s to implement internal policies and procedures relating to breach notification.
  • 21. HIPAA OMNIBUS 2013 What Is Required? © Panotech Consulting & Services Group 2013. All rights reserved. The HIPAA Security Rule 1.Focuses on the safeguarding of electronic protected health information (ePHI). 2.Created to protect the confidentiality, integrity, and availability of ePHI. 3.ePHI that a covered entity creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures. 4.Requirements of the Security Rule were designed to be technology neutral and scalable to all different sizes of covered entities and business associates. Intentionally vague.
  • 22. HIPAA OMNIBUS 2013 What Is Required? © Panotech Consulting & Services Group 2013. All rights reserved. The HIPAA Security Rule (cont.) Key concepts: 1.Security – The practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. Is the degree of resistance to, or protection from, harm. It applies to any vulnerable and valuable asset. 2.Confidentiality – Keeping private information secret, preventing the disclosure of information to unauthorized individuals or systems. 3.Integrity - Maintaining and assuring the accuracy and consistency of data over its entire life-cycle. Data cannot be modified in an unauthorized or undetected manner. 4.Availability – The information must be available when it is needed. This means that the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly at all times.
  • 23. HIPAA OMNIBUS 2013 What Is Required? © Panotech Consulting & Services Group 2013. All rights reserved. The HIPAA Security Rule (cont.) Security Rule enumerate three types of safeguards: 1.Administrative – Focus on internal organization, policies, procedures, and maintenance of security measures. Keep medical practice compliant and trained over time, and ensure that it is conscious of the risks it faces. 2.Technical - Technical safeguards mean technology and the policy and procedures for its use that protect electronic health information and control access to it. 3.Physical - Physical measures, policies, and procedures to protect a Covered Entity's electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.
  • 24. HIPAA OMNIBUS 2013 What Is Required? © Panotech Consulting & Services Group 2013. All rights reserved. The HIPAA Security Rule (cont.) Safeguards include two categories of implementation specifications: ● Required (R) – Its implementation is always required without exception, no matter the situation. ● Addressable (A) – Must be implemented if it's reasonable and appropriate, but does not have to be implemented if there is an alternative that would accomplish the same purpose, or the standard can be met without implementing the specification or an alternative. “Addressable” does not mean “optional”. Nothing in HIPAA is optional! If implementing the specification is not reasonable and appropriate, the reasons should be properly documented and an alternative measure should be implemented if needed.
  • 25. HIPAA OMNIBUS 2013 What Is Required? © Panotech Consulting & Services Group 2013. All rights reserved. The HIPAA Security Rule (cont.) Administrative safeguards 1. Implement policies and procedures to prevent, detect, contain, and correct security violations. ● (R) Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information. ● (R) Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. ● (R) Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate. ● (R) Procedures to regularly review records of information system activity.
  • 26. HIPAA OMNIBUS 2013 What Is Required? © Panotech Consulting & Services Group 2013. All rights reserved. The HIPAA Security Rule (cont.) 2. Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information and to prevent those workforce members who do not have access from obtaining access to electronic protected health information. ● (A) Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed, and ensure that the access of a workforce member to electronic protected health information is appropriate. ● (A) Implement procedures for terminating access to electronic protected health information when the employment of, or other arrangement with, a workforce member ends or as required.
  • 27. HIPAA OMNIBUS 2013 What Is Required? © Panotech Consulting & Services Group 2013. All rights reserved. The HIPAA Security Rule (cont.) 3. Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements. ● (A) Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism. ● (A) Implement policies and procedures that, based upon the covered entity's or the business associate's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process. 4. Identify the security official who is responsible for the development and implementation of the policies and procedures required.
  • 28. HIPAA OMNIBUS 2013 What Is Required? © Panotech Consulting & Services Group 2013. All rights reserved. The HIPAA Security Rule (cont.) 5. Implement a security awareness and training program for all members of the workforce, including physicians and management. ● (A) Periodic security updates and reminders. ● (A) Procedures for guarding against, detecting, and reporting malicious software. ● (A) Procedures for monitoring log-in attempts and reporting discrepancies. ● (A) Procedures for creating, changing, and safeguarding passwords. 6. Implement policies and procedures to address security incidents. ● (R) Identify and respond to suspected or known security incidents; mitigate, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes.
  • 29. HIPAA OMNIBUS 2013 What Is Required? © Panotech Consulting & Services Group 2013. All rights reserved. The HIPAA Security Rule (cont.) 7. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (i.e. fire, vandalism, system failure, natural disaster) that damages systems that contain electronic protected health information. ● (R) Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. (i.e. back-up plan). ● (R) Establish (and implement as needed) procedures to restore any loss of data. Disaster Recovery Plan. ● (R) Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. Business Continuity Plan. ● (A) Implement procedures for periodic testing and revision of contingency plans; and for the assessment of application and data criticality.
  • 30. HIPAA OMNIBUS 2013 What Is Required? © Panotech Consulting & Services Group 2013. All rights reserved. The HIPAA Security Rule (cont.) 8. A covered entity may permit a business associate to create, receive, maintain, store, or transmit electronic protected health information on the covered entity's behalf only if the covered entity obtains satisfactory assurances, that the business associate will appropriately safeguard the information. ● (R) Document the satisfactory assurances through a written contract or other arrangement with the business associate that meets the applicable requirements. 9. Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of the Security Rule.
  • 31. HIPAA OMNIBUS 2013 What Is Required? © Panotech Consulting & Services Group 2013. All rights reserved. The HIPAA Security Rule (cont.) Physical safeguards 1. Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information. 2. Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.
  • 32. HIPAA OMNIBUS 2013 What Is Required? © Panotech Consulting & Services Group 2013. All rights reserved. The HIPAA Security Rule (cont.) 3. Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. ● (A) Establish procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency. ● (A) Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft. ● (A) Implement procedures to control and validate a person's access to facilities based on their role or function, including visitor control, and access to software. ● (A) Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security.
  • 33. HIPAA OMNIBUS 2013 What Is Required? © Panotech Consulting & Services Group 2013. All rights reserved. The HIPAA Security Rule (cont.) 4. Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility. ● (R) Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored. ● (R) Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use. ● (A) Maintain a record of the movements of hardware and electronic media and any person responsible therefore. ● (A) Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.
  • 34. HIPAA OMNIBUS 2013 What Is Required? © Panotech Consulting & Services Group 2013. All rights reserved. The HIPAA Security Rule (cont.) Technical safeguards 1. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights. ● (R) Assign a unique name, username, and/or number for identifying and tracking user identity. ● (R) Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. ● (A) Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. ● (A) Implement a mechanism to encrypelectronic protected health information.
  • 35. HIPAA OMNIBUS 2013 What Is Required? © Panotech Consulting & Services Group 2013. All rights reserved. The HIPAA Security Rule (cont.) 2. Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. ● (A) Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. 3. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health Information. 4. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. (Authentication)
  • 36. HIPAA OMNIBUS 2013 What Is Required? © Panotech Consulting & Services Group 2013. All rights reserved. The HIPAA Security Rule (cont.) 5. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. ● (A) Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of. ● (A) Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.
  • 37. HIPAA OMNIBUS 2013 What Is Required? © Panotech Consulting & Services Group 2013. All rights reserved. The HIPAA Security Rule (cont.) General Requirements 1. Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, stores, or transmits. 2. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. 3. Ensure workforce compliance.
  • 38. HIPAA OMNIBUS 2013 What Is Required? © Panotech Consulting & Services Group 2013. All rights reserved. The HIPAA Security Rule – The not so obvious Are network firewalls required? Firewalls are hardware and software devices that protect an organization’s network from intruders, such as hackers or data thieves. When properly configured, firewalls deny access to unauthorized users and applications, and they create audit trails or logs that identify who accessed the network and when. Although HIPAA does not mention firewall appliances, you should consider them as required since: ● In conjunction with workstation firewalls, they are considered a fundamental security measure by NIST and other security standards. ● Idaho State University was fined $400,000 for violations of the HIPAA Security Rule due to disabled firewall protections. OCR concluded that ISU did not apply proper security measures and policies to address risks to electronic protected health information (ePHI).
  • 39. HIPAA OMNIBUS 2013 What Is Required? © Panotech Consulting & Services Group 2013. All rights reserved. The HIPAA Security Rule – The not so obvious (cont.) Can you make use of free antivirus software? Industry experts consider the following procedures as a minimum solution set to satisfy both the spirit and intent of the 164.308(a)(5)(ii)(B) standard (Protection from malicious software): ● Frequently update all operating systems with the latest updates and security patches (weekly). ● Implement business-class anti-malware protection across all systems and components — primarily anti-virus and anti-spam. Run updates and scans very frequently (daily). Most free anti-virus systems are actually not only ineffective, some are threats unto themselves. The best solutions are those that are configured to deliver solutions over the entire network, not on individual devices. Deploy a business-class security solution.
  • 40. HIPAA OMNIBUS 2013 What Is Required? © Panotech Consulting & Services Group 2013. All rights reserved. The HIPAA Security Rule – The not so obvious (cont.) What about Windows XP? After April 8th, 2014 Windows XP will reach End-Of-Life and will no longer receive security updates, leaving the network and workstations vulnerable to attack. Thus: ● You will not be able to “ensure the confidentiality, integrity, and availability of all electronic protected health information”. ● You will not be protecting “against any reasonably anticipated threats or hazards to the security or integrity of such information”. After April 8th, 2014 the use of Windows XP will constitute a security breach due to “willful neglect”. Upgrade to a Professional version of Windows 7, Windows 8, or Mac OS X.
  • 41. HIPAA OMNIBUS 2013 What Is Required? © Panotech Consulting & Services Group 2013. All rights reserved. The HIPAA Security Rule – The not so obvious What kind of computers should you buy? If you are replacing old machines or just buying new ones, go with warranty-backed business-oriented OEM systems. Consider this: ● Consumer-grade computers are not designed to provide for security and business continuity. They come with “Home” versions of Windows, creating licensing issues. ● There's no considerable difference in cost between consumer-grade and business- grade computers. ● Business-grade computers, more often than not, come with components and features that will enable you to comply with HIPAA rules more easily. Look for systems with an integrated “Trusted Platform Module” (TPM).
  • 42. HIPAA OMNIBUS 2013 What Is Required? © Panotech Consulting & Services Group 2013. All rights reserved. The HIPAA Security Rule – The not so obvious Any other considerations? ● If using WiFi, WEP security and Wi-Fi Protected Setup (WPS) must not be used. Security should be implemented with Wi-Fi Protected Access II (WPA2) or RADIUS. ● Contrary to popular belief, HIPAA does prohibit the use of email. You should select a HIPAA compliant email service provider that can provide you with a B.A.A. (e.g. Office 365), and make use of it in accordance with the Security Rule and your organizational policies. Same applies to electronic fax services. ● Encryption renders data unreadable. In the case of a burglary or any other similar incident in which encrypted PHI is stolen or leaked, it will not constitute a security breach. It is advisable to use disk encryption (e.g. Windows BitLocker) on all workstations. Back-ups should also be encrypted.
  • 43. HIPAA OMNIBUS 2013 How To Comply? © Panotech Consulting & Services Group 2013. All rights reserved. First things first... What HIPAA is not ● A one-time kind of thing ● An ideal ● Organically achieved ● Optional ● Narrow scope (i.e. “A line in the floor”) ● Detailed guidelines
  • 44. HIPAA OMNIBUS 2013 How To Comply? © Panotech Consulting & Services Group 2013. All rights reserved. What HIPAA is ● A never-ending process ● An stringent federal regulation ● Achieved through pro-active management ● Obligatory ● Encompasses every aspect of the medical practice ● Intentionally vague First things first... What HIPAA is not ● A one-time kind of thing ● An ideal ● Organically achieved ● Optional ● Narrow scope (i.e. “A line in the floor”) ● Detailed guidelines
  • 45. HIPAA OMNIBUS 2013 How To Comply? © Panotech Consulting & Services Group 2013. All rights reserved. ● No follow-up ● Lack of IT and security backgrounds ● Lack of knowledge Roadblocks to compliance ● Lack of corporate identity ● Wrong attitude towards compliance ● Lack of commitment from physicians and management ● Over-confidence
  • 46. HIPAA OMNIBUS 2013 How To Comply? © Panotech Consulting & Services Group 2013. All rights reserved. The Process of Achieving Compliance - Management HIPAA compliance is a continuous process that needs to be managed and improved over time. The D.M.A.I.C. methodology is the standard: Define – Establish the problem or need. Measure – Perform a current-state assessment of the medical practice. Compare it to the standards. Analyze – Identify, validate, list, and prioritize potential causes of the problem(s). Improve – Identify, test, and implement a solution following guidelines. Control – Monitor and sustain the improvement.
  • 47. HIPAA OMNIBUS 2013 How To Comply? © Panotech Consulting & Services Group 2013. All rights reserved. The Process of Achieving Compliance - Training Periodic workforce training is critical for achieving and sustaining HIPAA compliance. Improving privacy and security competence is a continuous four-stage process: Unconscious Incompetence – “We don't know what we don't know”. Unaware of the deficiency. Blissful ignorance before learning begins. Conscious Incompetence – “We know that we don't know”. Overwhelming awareness of the deficiency. Learning begins. Pivotal point. Conscious Competence – “We know that we know”. Putting learning into practice. Start gaining confidence. Heavy conscious involvement and concentration. Unconscious Competence – “We Don't Know that we know”. Skill has become a habit and can be performed without heavy conscious effort and with automatic ease.
  • 48. HIPAA OMNIBUS 2013 How To Comply? © Panotech Consulting & Services Group 2013. All rights reserved. REMEMBER! “What you don't know can (and will) hurt you” Educate yourself about laws and regulations. Stay informed about accepted best practices. Learn from others' mistakes. “Ignorance is risk” Perform risk assessments. Train your team periodically about privacy, security, risks, company policies, goals, and achievements. “People need a cause” Promote a culture of privacy and security. Team members should feel committed and proud about protecting patients' privacy and minimizing medical practice's risk. “If it's not documented, it doesn't count” Document everything! Keep records of policies, assessments, disclosures, authorizations, training, devices, breaches, etc. “Find strength in unity” Don't try to do it all by yourself. Rely on the right Business Associates to help you stay compliant and productive.
  • 49. HIPAA OMNIBUS 2013 Q&A © Panotech Consulting & Services Group 2013. All rights reserved.
  • 50. HIPAA OMNIBUS 2013 Resources © Panotech Consulting & Services Group 2013. All rights reserved. Omnibus Rule Compliant Forms The Office for Civil Rights and Office (OCR) of the National Coordinator for Health Information Technology (ONC) have collaborated to develop model Notices of Privacy Practices for health care providers and health plans to use to communicate with their patients and plan members. You can go to www.panomedpr.com/forms to learn more and download copies of the model documents.
  • 51. HIPAA OMNIBUS 2013 Resources © Panotech Consulting & Services Group 2013. All rights reserved. Guidance For Protecting ePHI The HHS provides a reference to NIST guidances to render unsecured protected health information (PHI) unusable, unreadable, or indecipherable to unauthorized individuals. You can find the guidances at www.panomedpr.com/security .
  • 52. HIPAA OMNIBUS 2013 Resources © Panotech Consulting & Services Group 2013. All rights reserved. HIPAA Compliant Email Microsoft provides a secure and low-cost email service that meets HIPAA compliance requirements and provides a Business Associate Agreement (BAA). You can go to www.panomedpr.com/office to evaluate the service free-of-charge for 30 days and review the HIPAA Business Associate Agreement when you sign up for the free trial.
  • 53. HIPAA OMNIBUS 2013 Resources © Panotech Consulting & Services Group 2013. All rights reserved. Computer Security Alternatives Microsoft also provides the anti-virus and anti-malware Forefront Endpoint Security system as a low-cost monthly service through a Windows InTune subscription. It is intended for medical practices without servers. You can go to www.panomedpr.com/intune to try the service free-of-charge. Kaspersky Total Space Security is a cost-effective security system, paid annually, that provides ease of management and high performance. It is best suited for medical practices with servers. You can go to www.panomedpr.com/kaspersky to try the service free-of- charge.
  • 54. HIPAA OMNIBUS 2013 Resources © Panotech Consulting & Services Group 2013. All rights reserved. HIPAA Compliant BackUp Service Carbonite Business is a HIPAA compliant off-site backup service for workstations and servers. It employs encryption and provides a Business Associate Agreement (BAA) to medical practices. You can go to www.panomedpr.com/carbonite to try the service free-of- charge for 30 days.
  • 55. HIPAA OMNIBUS 2013 About Us © Panotech Consulting & Services Group 2013. All rights reserved. Who is AsisteMed? AsisteMed Corp. is a team of physicians helping physicians implement and make the most of their Electronic Health Record system (EHR) in a cost-effective and non-disruptive way, while also streamlining the process of achieving Meaningful Use and qualifying for federal incentives. AsisteMed Corp. provides hands-on and on-site consulting, training, and assistance for medical practices of all sizes. Contact and follow AsisteMed info@asistemedpr.com www.facebook.com/Asistemed
  • 56. HIPAA OMNIBUS 2013 About Us © Panotech Consulting & Services Group 2013. All rights reserved. Who is PanoMED? PanoMedTM is Panotech Group's common-sense and vendor-neutral approach to health information management, compliance, and technology for small and mid-sized medical practices in Puerto Rico and the U.S. Virgin Islands. PanoMED's fiduciary duty is to enable physicians to achieve a highly reliable, secure, and HIPAA compliant medical practice at the lowest possible cost and risk; by providing the right combination of consulting, training, and support in technology, privacy, and security matters. Contact and follow PanoMED on your favorite social network info@panomedpr.com panomedpr.com/gplus panomedpr.com/facebook panomedpr.com/twitter panomedpr.com/news
  • 57. HIPAA OMNIBUS 2013 About Us © Panotech Consulting & Services Group 2013. All rights reserved. Thank You!