This is the first in a series of free webinars on HIPAA sponsored and presented by Manage My Practice (Mary Pat Whaley & Abraham Whaley) and Health Security Solutions (Steve Speaman). To see and hear all webinars, click here for free access: http://info.managemypractice.com/register-for-our-free-hipaa-qa-webinar-replays
2. 864-200-2419
info@healthsecuritysolutions.com
#1:#1: I am not quite sure what to ask, II am not quite sure what to ask, I
guess I should start with how is thisguess I should start with how is this
going to affect our practice and whatgoing to affect our practice and what
changes do I need to be aware of?changes do I need to be aware of?
4. 864-200-2419
info@healthsecuritysolutions.com
Key Provisions of HIPAA OmnibusKey Provisions of HIPAA Omnibus
• Breach Notification
• BAAs and
Subcontractors
• Fundraising and
Marketing
• NPP Changes
• Hybrid Entity
treatment
• Deceased patients
• Immunization
Records release
• Concealment rule
5. 864-200-2419
info@healthsecuritysolutions.com
#2:#2: Do you have a suggested or preferredDo you have a suggested or preferred
format/method for conducting andformat/method for conducting and
documenting a security risk analysis, sincedocumenting a security risk analysis, since
the OCR has not specified such? It is truly athe OCR has not specified such? It is truly a
large amount of documentation with solarge amount of documentation with so
many "moving" parts!many "moving" parts!
6. 864-200-2419
info@healthsecuritysolutions.com
How to Conduct aHow to Conduct a
Security Risk AnalysisSecurity Risk Analysis
• NIST
– “Guidance on Risk Assessment
(NIST 800-30)
– SP 800-66 – Resource Guide for
Implementing HIPAA
• Audit Protocol – June 2012
• ONC Guide to Privacy and
Security of HIT
– Myths and Facts (p.11)
7. 864-200-2419
info@healthsecuritysolutions.com
Security Risk Analysis Myths and FactsSecurity Risk Analysis Myths and Facts
Myths Facts
Optional for small providers No. All eligible providers (EP)
Installing a certified EHR is enough No. The risk analysis must look at all systems
with ePHI.
My EHR vendor is handling this No. EPs are solely responsible for the risk
analysis.
A checklist will suffice No. While useful, they are inadequate.
Only needs to look at EHR No. All IT assets processing, storing, accessing
ePHI.
I must outsource the risk analysis. No. You can conduct this yourself.
8. 864-200-2419
info@healthsecuritysolutions.com
Meaningful Use and Risk AnalysisMeaningful Use and Risk Analysis
MEANINGFUL USE CRITERIA
#12 Provide patients with electronic copy of their health information upon request
#13 Provide clinical summaries for patients for each offic
# 14 Perform at least one test of certified EHR technica
#15 Conduct or review a Security Risk Analysis per 45 CFR
Conduct or review a
Security Risk Analysis
per 45 CFR 164.308 (a)(1)
and implement security
updates as necessary.
Conduct or review a
Security Risk Analysis
per 45 CFR 164.308 (a)(1)
and implement security
updates as necessary.
9. 864-200-2419
info@healthsecuritysolutions.com
Copier/Scanner Hard DrivesCopier/Scanner Hard Drives
Cloud StorageCloud Storage
Patient Portal SecurityPatient Portal Security
Emailing Records to Patients/Emailing andEmailing Records to Patients/Emailing and
Texting With PatientsTexting With Patients
Best Encryption MethodBest Encryption Method
Employees Working From HomeEmployees Working From Home
Related Questions:Related Questions:
10. 864-200-2419
info@healthsecuritysolutions.com
Special Offer for Attendees:Special Offer for Attendees:
Risk Analysis is the MOST overlooked provision of HIPAA - it is the first HIPAA
safeguard and is the last Meaningful Use Core Measure (will you have to give
your MU money back?)
The RAIAB includes 50-70 page Risk Analysis Report, customized HIPAA security
policies, security management plan, and security awareness posters. This is
everything a 2-provider/1-location needs!
A Great Value at $1,795! Find it in the Manage My Practice store.
11. 864-200-2419
info@healthsecuritysolutions.com
#3:#3: What has changed with theWhat has changed with the
Notice of Privacy Practices (NPP)?Notice of Privacy Practices (NPP)?
Do I update the one I have or startDo I update the one I have or start
over with a new one?over with a new one?
12. 864-200-2419
info@healthsecuritysolutions.com
Notice of Privacy Practices (NPP)Notice of Privacy Practices (NPP)
NPP Changes
•Types of uses requiring authorization:
– Psychotherapy notes
– Those that constitute a sale of PHI
– Anything not covered in YOUR NPP
•Fundraising right to opt out
•Right to restrict disclosure for OOP payments
•Right to be notified in the event of a breach
13. 864-200-2419
info@healthsecuritysolutions.com
Sign-in SheetsSign-in Sheets
Releasing original records vs. all recordsReleasing original records vs. all records
Transporting charts in vehiclesTransporting charts in vehicles
Allowable/Non-allowable Records ReleaseAllowable/Non-allowable Records Release
Mail received by the wrong entityMail received by the wrong entity
Verbal permission vs. written permissionVerbal permission vs. written permission
Related Questions:Related Questions:
14. 864-200-2419
info@healthsecuritysolutions.com
#4:#4: How do I know when I have to haveHow do I know when I have to have
a BAA? If I use an EHR vendor that has aa BAA? If I use an EHR vendor that has a
33rdrd
party provide part of the service, orparty provide part of the service, or
will my BAA with the vendor cover all 3will my BAA with the vendor cover all 3rdrd
parties?parties?
16. 864-200-2419
info@healthsecuritysolutions.com
Is the provider of off-site storage a BA?Is the provider of off-site storage a BA?
Are janitorial staff BAs?Are janitorial staff BAs?
Is Care Credit a BA?Is Care Credit a BA?
Related Questions:Related Questions:
17. 864-200-2419
info@healthsecuritysolutions.com
#5: What type of HIPAA training is#5: What type of HIPAA training is
required for new employees and howrequired for new employees and how
often is HIPAA retraining required foroften is HIPAA retraining required for
all employees?*all employees?*
* Covered in more depth next month!
19. 864-200-2419
info@healthsecuritysolutions.com
Is my existing HIPAA manual still usable?Is my existing HIPAA manual still usable?
What’s the best way to train employeesWhat’s the best way to train employees
on the new rules?on the new rules?
What policies need to be put in placeWhat policies need to be put in place
and how should employees sign off onand how should employees sign off on
them?them?
Related Questions:Related Questions: