HIPAA Question & Answer Session (September 2013)

864-200-2419
info@healthsecuritysolutions.com
HIPAA Q & A
With
Steve Spearman
&
Mary Pat Whaley
September 17, 2013

864-200-2419
#1:#1: I am not quite sure what to ask, II am not quite sure what to ask, I
guess I should start with how is thisguess I should start with how is this
going to affect our practice and whatgoing to affect our practice and what
changes do I need to be aware of?changes do I need to be aware of?

864-200-2419
Today’s QuestionsToday’s Questions
• Risk Analysis
• Notice of Privacy Practices (NPPs)
• Business Associate Agreements (BAAs)
• HIPAA Training & Policies/Procedures

864-200-2419
Key Provisions of HIPAA OmnibusKey Provisions of HIPAA Omnibus
• Breach Notification
• BAAs and
Subcontractors
• Fundraising and
Marketing
• NPP Changes
• Hybrid Entity
treatment
• Deceased patients
• Immunization
Records release
• Concealment rule

864-200-2419
#2:#2: Do you have a suggested or preferredDo you have a suggested or preferred
format/method for conducting andformat/method for conducting and
documenting a security risk analysis, sincedocumenting a security risk analysis, since
the OCR has not specified such? It is truly athe OCR has not specified such? It is truly a
large amount of documentation with solarge amount of documentation with so
many "moving" parts!many "moving" parts!

864-200-2419
How to Conduct aHow to Conduct a
Security Risk AnalysisSecurity Risk Analysis
• NIST
– “Guidance on Risk Assessment
(NIST 800-30)
– SP 800-66 – Resource Guide for
Implementing HIPAA
• Audit Protocol – June 2012
• ONC Guide to Privacy and
Security of HIT
– Myths and Facts (p.11)

864-200-2419
Security Risk Analysis Myths and FactsSecurity Risk Analysis Myths and Facts
Myths Facts
Optional for small providers No. All eligible providers (EP)
Installing a certified EHR is enough No. The risk analysis must look at all systems
with ePHI.
My EHR vendor is handling this No. EPs are solely responsible for the risk
analysis.
A checklist will suffice No. While useful, they are inadequate.
Only needs to look at EHR No. All IT assets processing, storing, accessing
ePHI.
I must outsource the risk analysis. No. You can conduct this yourself.

864-200-2419
Meaningful Use and Risk AnalysisMeaningful Use and Risk Analysis
MEANINGFUL USE CRITERIA
#12 Provide patients with electronic copy of their health information upon request
#13 Provide clinical summaries for patients for each offic
# 14 Perform at least one test of certified EHR technica
#15 Conduct or review a Security Risk Analysis per 45 CFR
Conduct or review a
Security Risk Analysis
per 45 CFR 164.308 (a)(1)
and implement security
updates as necessary.
Conduct or review a
Security Risk Analysis
per 45 CFR 164.308 (a)(1)
and implement security
updates as necessary.

864-200-2419
Copier/Scanner Hard DrivesCopier/Scanner Hard Drives
Cloud StorageCloud Storage
Patient Portal SecurityPatient Portal Security
Emailing Records to Patients/Emailing andEmailing Records to Patients/Emailing and
Texting With PatientsTexting With Patients
Best Encryption MethodBest Encryption Method
Employees Working From HomeEmployees Working From Home
Related Questions:Related Questions:

864-200-2419
Special Offer for Attendees:Special Offer for Attendees:
Risk Analysis is the MOST overlooked provision of HIPAA - it is the first HIPAA
safeguard and is the last Meaningful Use Core Measure (will you have to give
your MU money back?)
The RAIAB includes 50-70 page Risk Analysis Report, customized HIPAA security
policies, security management plan, and security awareness posters. This is
everything a 2-provider/1-location needs!
A Great Value at $1,795! Find it in the Manage My Practice store.

864-200-2419
#3:#3: What has changed with theWhat has changed with the
Notice of Privacy Practices (NPP)?Notice of Privacy Practices (NPP)?
Do I update the one I have or startDo I update the one I have or start
over with a new one?over with a new one?

864-200-2419
Notice of Privacy Practices (NPP)Notice of Privacy Practices (NPP)
NPP Changes
•Types of uses requiring authorization:
– Psychotherapy notes
– Those that constitute a sale of PHI
– Anything not covered in YOUR NPP
•Fundraising right to opt out
•Right to restrict disclosure for OOP payments
•Right to be notified in the event of a breach

864-200-2419
Sign-in SheetsSign-in Sheets
Releasing original records vs. all recordsReleasing original records vs. all records
Transporting charts in vehiclesTransporting charts in vehicles
Allowable/Non-allowable Records ReleaseAllowable/Non-allowable Records Release
Mail received by the wrong entityMail received by the wrong entity
Verbal permission vs. written permissionVerbal permission vs. written permission

864-200-2419
#4:#4: How do I know when I have to haveHow do I know when I have to have
a BAA? If I use an EHR vendor that has aa BAA? If I use an EHR vendor that has a
33rdrd
party provide part of the service, orparty provide part of the service, or
will my BAA with the vendor cover all 3will my BAA with the vendor cover all 3rdrd
parties?parties?

864-200-2419
Business Associate AgreementsBusiness Associate Agreements
• Treatment of subcontractors
– Clarifies that they are BAs
– BAs must have BAA in place with
downstream vendors

864-200-2419
Is the provider of off-site storage a BA?Is the provider of off-site storage a BA?
Are janitorial staff BAs?Are janitorial staff BAs?
Is Care Credit a BA?Is Care Credit a BA?

864-200-2419
#5: What type of HIPAA training is#5: What type of HIPAA training is
required for new employees and howrequired for new employees and how
often is HIPAA retraining required foroften is HIPAA retraining required for
all employees?*all employees?*
* Covered in more depth next month!

864-200-2419
Security Training SafeguardsSecurity Training Safeguards
Security Awareness and Training
 Security Reminders (A)
 Protection from Malicious Software
(A)
 Log-in Monitoring (A)
 Password Management (A)

864-200-2419
Is my existing HIPAA manual still usable?Is my existing HIPAA manual still usable?
What’s the best way to train employeesWhat’s the best way to train employees
on the new rules?on the new rules?
What policies need to be put in placeWhat policies need to be put in place
and how should employees sign off onand how should employees sign off on
them?them?

864-200-2419
#6: What are the first steps to#6: What are the first steps to
ensuring Best Practices for the HIPAAensuring Best Practices for the HIPAA
Omnibus Rules?Omnibus Rules?

864-200-2419
Risk Assessment (internal or external)Risk Assessment (internal or external)
NPP (sample provided in Action Pack)NPP (sample provided in Action Pack)
BAA (sample provided in Action Pack)BAA (sample provided in Action Pack)
Training & PoliciesTraining & Policies
Action Plan:Action Plan:

864-200-2419
October 15th
1:00 – 2:00 p.m. EST
Register Here!
NextNext FREEFREE HIPAA Webinar:HIPAA Webinar:
Mark your calendar today!

864-200-2419
Contact Us!Contact Us!
Steve Spearman
sspearman@healthsecuritysolutions.com
864-200-2419
Mary Pat Whaley
marypat@managemypractice.com
919-370-0504
&

HIPAA Question & Answer Session (September 2013)

Recommended

Recommended

More Related Content

Recently uploaded

Recently uploaded (20)

Featured

Featured (20)

HIPAA Question & Answer Session (September 2013)