This document provides an overview of HIPAA compliance requirements for healthcare startups selling to health systems. It discusses how health systems prioritize compliance and security above all else. The presenter, Jim Anfield, will prepare entrepreneurs on how to effectively communicate that their solutions meet HIPAA compliance and security standards to facilitate partnerships with health systems. He will cover common pitfalls in these discussions and provide insights on achieving HIPAA compliance.
Health Insurance Portability and Accountability Act (HIPPA) - KloudlearnKloudLearn
HIPPA or Health Insurance Portability and Accountability Act is a United States Legislation that offers data privacy and security provisions for securing confidential and sensitive medical information.
This slideshow provides a brief overview of the basics of HIPAA. Viewers receive a walkthrough of its' core fundamentals. This represents Part 1 of 3 in a series that educate primary care providers on achieving HIPAA compliance.
Developers building healthcare applications for mobile devices, wearables and the desktop need to understand HIPAA requirements in order to build apps that are in compliance. This deck gives application developers an overview of the HIPAA rules and what it means for their software development.
Health Insurance Portability and Accountability Act (HIPPA) - KloudlearnKloudLearn
HIPPA or Health Insurance Portability and Accountability Act is a United States Legislation that offers data privacy and security provisions for securing confidential and sensitive medical information.
This slideshow provides a brief overview of the basics of HIPAA. Viewers receive a walkthrough of its' core fundamentals. This represents Part 1 of 3 in a series that educate primary care providers on achieving HIPAA compliance.
Developers building healthcare applications for mobile devices, wearables and the desktop need to understand HIPAA requirements in order to build apps that are in compliance. This deck gives application developers an overview of the HIPAA rules and what it means for their software development.
Application Developers Guide to HIPAA ComplianceTrueVault
Software developers building mobile health applications need to be HIPAA compliant if their application will be collecting and sharing protected health information. This free plain language guide gives developers everything they need to know about mobile health app development and HIPAA.
Not every mHealth app needs to be HIPAA compliant. Not sure whether your mHealth application needs to be HIPAA compliant or not? Read the guide to find out!
A PowerPoint presentation addressing HIPAA overview and definitions, the Privacy Rule, access to medical records, including mental health and psychotherapy notes, and patient amendments or corrections to medical records.
This presentation discusses how to comply with HIPAA and HITECH privacy laws. Learn key terms such as Protected Health Information, the Privacy Rule and the Security Rule as well as major changes brought by HIPAA and HITECH.
While the Health Insurance Portability and Accountability Act (HIPAA) is best known for its multitude of requirements that govern the way health care providers can use, disclose, and safeguard protected health information (PHI), its reach goes far beyond that to health plans and business associates that only handle PHI on a limited basis. HIPAA implementation in these environments creates unique challenges—for example, which provisions actually need to be addressed—but with 2016 marking an all-time high for HIPAA enforcement cases, it may be more important now than ever to address HIPAA compliance.
Health Insurance Portability and Accountability Act (HIPAA) ComplianceControlCase
The majority of changes to HIPAA have been introduced and strengthened by the recent passage of the HITECH and Omni-bus rules.
ControlCase HIPAA Compliance as a Service (CaaS)
is an Integration of services, software and compliance management and reporting for HIPAA, PCI, ISO 27001/2, SSAE16 and SAP through our cloud-based GRC.
While this presentation offers a rudimentary understanding of HIPAA as it relates to PHRs, its primary objective is to highlight key aspects of PHR privacy policies provided by non-covered entities (Microsoft & Google) and argue that HIPAA, after significant amendments, should be extended to them.
The Health Insurance Portability and Accountability Act (HIPAA) was created primarily to modernize the flow of healthcare information, stipulate how Personally Identifiable Information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and address limitations on healthcare insurance coverage – such as portability and the coverage of individuals with pre-existing conditions.
https://www.hipaajournal.com/hipaa-training-requirements/
The new HIPAA Omnibus rule becomes/became effective on September 23, 2013. The consequences for violation are significant. Do you know how to handle a HIPAA breach?
This webinar focuses on what you need to do in the event of a HIPAA breach including:
• Mandatory notices to patients
• Notification to governmental agencies
• Getting your own “house in order” as the government will be requesting policies, training logs, etc.
• What to do when social security numbers are disclosed
• Should you get insurance for HIPAA breaches
• Should you offer credit monitoring for impacted patients
Panelists:
Claudia Hinrichsen, The Health Law Partners
Bob Grant, The Compliancy Group
Moderator:
Marc Haskelson, President, The Compliancy Group LLC.
The Health Insurance Portability and Accountability Act Kartheek Kein
HIPAA is the acronym of the Health Insurance Portability and Accountability Act of 1996. The main purpose of this federal statute was to help consumers maintain their insurance coverage, but it also includes a separate set of provisions called Administrative Simplification.
Presentation designed to explain Business Associates the basics of HIPAA and real-life examples of cases that failed to implement and follow HIPAA requirements on a timely basis.
Application Developers Guide to HIPAA ComplianceTrueVault
Software developers building mobile health applications need to be HIPAA compliant if their application will be collecting and sharing protected health information. This free plain language guide gives developers everything they need to know about mobile health app development and HIPAA.
Not every mHealth app needs to be HIPAA compliant. Not sure whether your mHealth application needs to be HIPAA compliant or not? Read the guide to find out!
A PowerPoint presentation addressing HIPAA overview and definitions, the Privacy Rule, access to medical records, including mental health and psychotherapy notes, and patient amendments or corrections to medical records.
This presentation discusses how to comply with HIPAA and HITECH privacy laws. Learn key terms such as Protected Health Information, the Privacy Rule and the Security Rule as well as major changes brought by HIPAA and HITECH.
While the Health Insurance Portability and Accountability Act (HIPAA) is best known for its multitude of requirements that govern the way health care providers can use, disclose, and safeguard protected health information (PHI), its reach goes far beyond that to health plans and business associates that only handle PHI on a limited basis. HIPAA implementation in these environments creates unique challenges—for example, which provisions actually need to be addressed—but with 2016 marking an all-time high for HIPAA enforcement cases, it may be more important now than ever to address HIPAA compliance.
Health Insurance Portability and Accountability Act (HIPAA) ComplianceControlCase
The majority of changes to HIPAA have been introduced and strengthened by the recent passage of the HITECH and Omni-bus rules.
ControlCase HIPAA Compliance as a Service (CaaS)
is an Integration of services, software and compliance management and reporting for HIPAA, PCI, ISO 27001/2, SSAE16 and SAP through our cloud-based GRC.
While this presentation offers a rudimentary understanding of HIPAA as it relates to PHRs, its primary objective is to highlight key aspects of PHR privacy policies provided by non-covered entities (Microsoft & Google) and argue that HIPAA, after significant amendments, should be extended to them.
The Health Insurance Portability and Accountability Act (HIPAA) was created primarily to modernize the flow of healthcare information, stipulate how Personally Identifiable Information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and address limitations on healthcare insurance coverage – such as portability and the coverage of individuals with pre-existing conditions.
https://www.hipaajournal.com/hipaa-training-requirements/
The new HIPAA Omnibus rule becomes/became effective on September 23, 2013. The consequences for violation are significant. Do you know how to handle a HIPAA breach?
This webinar focuses on what you need to do in the event of a HIPAA breach including:
• Mandatory notices to patients
• Notification to governmental agencies
• Getting your own “house in order” as the government will be requesting policies, training logs, etc.
• What to do when social security numbers are disclosed
• Should you get insurance for HIPAA breaches
• Should you offer credit monitoring for impacted patients
Panelists:
Claudia Hinrichsen, The Health Law Partners
Bob Grant, The Compliancy Group
Moderator:
Marc Haskelson, President, The Compliancy Group LLC.
The Health Insurance Portability and Accountability Act Kartheek Kein
HIPAA is the acronym of the Health Insurance Portability and Accountability Act of 1996. The main purpose of this federal statute was to help consumers maintain their insurance coverage, but it also includes a separate set of provisions called Administrative Simplification.
Presentation designed to explain Business Associates the basics of HIPAA and real-life examples of cases that failed to implement and follow HIPAA requirements on a timely basis.
The Importance of HIPAA Compliance in Digital Healthcare Solutions.pptxMocDoc
As the healthcare industry continues to digitize, it's more important than ever to make sure that your healthcare software solutions are HIPAA compliant. Here's why HIPAA compliance is so important in the digital healthcare space, and how you can ensure that your solutions are compliant.
HIPAA-Compliant App Development Guide for the Healthcare Industry.pdfSuccessiveDigital
This is an article about HIPAA-compliant app development for the healthcare industry. It discusses the importance of HIPAA compliance and the risks of non-compliance. The article also outlines the steps involved in developing a HIPAA-compliant app. Some of the important points from this article are that HIPAA compliance is an ongoing process and that there is no certification required to build a HIPAA-secure app.
Overview of hipaa & tools for hipaa complianceSquare 9
http://www.square-9.com/document-management-software | Square 9’s SmartSearch document management system makes it easy to organize and protect confidential patient information and maintain HIPAA compliance. SmartSearch is enterprise-class software that eliminates paper in organizations of all sizes.
Measuring, Mismeasuring, and Remeasuring - Creating Meaningful Key Performanc...Dan Wellisch
Here is our September 2019 meeting presentation to the Chicago Technology For Value-Based Healthcare Group (https://www.meetup.com/Chicago-Technology-For-Value-Based-Healthcare-Meetup/) on meaningful KPIs in the hospital setting.
The Role Of Community-Based Organizations in Achieving Population Health GoalsDan Wellisch
Marc Rosen discusses how the YMCA participates in keeping the population healthy. He presented to our group found here.: https://www.meetup.com/Chicago-Technology-For-Value-Based-Healthcare-Meetup/
At the Chicago Technology For Value-Based Healthcare October 2018 meetup (https://www.meetup.com/Chicago-Technology-For-Value-Based-Healthcare-Meetup), Omar Husain cuts through healthcare data to show how providers can save their bottom lines.
US Healthcare Reform Landscape - Addendum to June 2018 Presentation to the Ch...Dan Wellisch
This is an addendum to the June 2018 presentation (to the Chicago Technology For Value-Based Healthcare Meetup https://www.meetup.com/Chicago-Technology-For-Value-Based-Healthcare-Meetup/) containing interesting info. about what may replace the Affordable Care Act
Payer Analytics In A Shifting Healthcare Landscape - June Presentation To Chi...Dan Wellisch
This is the June 2018 presentation to the Chicago Technology For Value-Based Healthcare https://www.meetup.com/Chicago-Technology-For-Value-Based-Healthcare-Meetup/
White Paper distributed at our May 2018 meeting of the Chicago Technology For Value-Based Healthcare Meetup Group - https://www.meetup.com/Chicago-Technology-For-Value-Based-Healthcare-Meetup/
Chronic Care Management - Implemented By TimeDoc - May 2018Dan Wellisch
This is May's presentation of the Chicago Technology For Value-Based Healthcare Meetup - https://www.meetup.com/Chicago-Technology-For-Value-Based-Healthcare-Meetup/
Managing HIPAA Business Associate Relationships - April 24, 2018 Dan Wellisch
This is the April presentation of the Chicago Technology for Value-Based Healthcare Meetup Group - https://www.meetup.com/Chicago-Technology-For-Value-Based-Healthcare-Meetup/
Using Models For Analytically-Driven Cultural TransformationDan Wellisch
Jason Cooper delivered a powerful presentation at our meetup: Chicago Technology For Value-Based Healthcare found here: https://www.meetup.com/Chicago-Technology-For-Value-Based-Healthcare-Meetup/ on March 20. 2018
Analyzing Breast Cancer Dataset with Azure Machine Learning StudioDan Wellisch
This presentation was given by https://www.meetup.com/Chicago-Technology-For-Value-Based-Healthcare-Meetup/ Member Frank Mendoza of Catalytics on January 23, 2018
Simple Linear Regression: Step-By-StepDan Wellisch
This presentation was made to our meetup group found here.: https://www.meetup.com/Chicago-Technology-For-Value-Based-Healthcare-Meetup/ on 9/26/2017. Our group is focused on technology applied to healthcare in order to create better healthcare.
Mike Ghen gave this presentation to the Chicago Technology For Value-Based Healthcare Meetup (https://www.meetup.com/Chicago-Technology-For-Value-Based-Healthcare-Meetup/). Mike since has moved to Philadelphia where he started the Philadelphia Technology For Value-Based Healthcare (https://www.meetup.com/Philadelphia-Technology-For-Value-Based-Healthcare-Meetup/). The Chicago and Philadelphia chapters share a website at techforvaluebasedhealthcare.org
What Are The All Payer Claims Databases (SCPDs) And What Could Be Used For?Dan Wellisch
Dan Wellisch gave this presentation to the Chicago Technology For Value-Based Healthcare Meetup (https://www.meetup.com/Chicago-Technology-For-Value-Based-Healthcare-Meetup/)
Using Predictive Analytics For Care Management And CoordinationDan Wellisch
This presentation was given by Dennis O'Donnell for the Chicago Technology For Value-Based Healthcare Meetup (https://www.meetup.com/Chicago-Technology-For-Value-Based-Healthcare-Meetup/)
Dan Wellisch gave this presentation to the Chicago Technology For Vaue Based Healthcare Meetup at https://www.meetup.com/Chicago-Technology-For-Value-Based-Healthcare-Meetup/
Using The Hadoop Ecosystem to Drive Healthcare InnovationDan Wellisch
Presentation delivered to the Chicago Technology For Value-Based Healthcare Meetup (https://www.meetup.com/Chicago-Technology-For-Value-Based-Healthcare-Meetup/)
Telehealth Psychology Building Trust with Clients.pptxThe Harvest Clinic
Telehealth psychology is a digital approach that offers psychological services and mental health care to clients remotely, using technologies like video conferencing, phone calls, text messaging, and mobile apps for communication.
Navigating the Health Insurance Market_ Understanding Trends and Options.pdfEnterprise Wired
From navigating policy options to staying informed about industry trends, this comprehensive guide explores everything you need to know about the health insurance market.
Welcome to Secret Tantric, London’s finest VIP Massage agency. Since we first opened our doors, we have provided the ultimate erotic massage experience to innumerable clients, each one searching for the very best sensual massage in London. We come by this reputation honestly with a dynamic team of the city’s most beautiful masseuses.
Navigating Challenges: Mental Health, Legislation, and the Prison System in B...Guillermo Rivera
This conference will delve into the intricate intersections between mental health, legal frameworks, and the prison system in Bolivia. It aims to provide a comprehensive overview of the current challenges faced by mental health professionals working within the legislative and correctional landscapes. Topics of discussion will include the prevalence and impact of mental health issues among the incarcerated population, the effectiveness of existing mental health policies and legislation, and potential reforms to enhance the mental health support system within prisons.
One of the most developed cities of India, the city of Chennai is the capital of Tamilnadu and many people from different parts of India come here to earn their bread and butter. Being a metropolitan, the city is filled with towering building and beaches but the sad part as with almost every Indian city
2. 1
About Me
• Finance
• Strategy
• M&A
• Bus dev • Prod Dev
• IT
• Startups
• Technology
• Prod Dev
• Finance
• Bus Dev
Fortune 500 Dot Com Healthcare Healthcare Consulting
3. 2
Today As Advertised
Every healthcare startup needs to comply with HIPAA and data
security regulations, especially when selling to health systems.
The provider chief compliance officer and the chief information
security officer must agree that a solution is HIPAA compliant
and does not pose a security risk. Jim Anfield will prepare
entrepreneurs to partner with health systems who care about
compliance and security above all. He will offer insights on
HIPAA compliance for startups and walk through common
pitfalls when communicating how solutions incorporate
compliance and security requirements.
5. 4
The Federal Government has leveled several large scale HIPAA fines…
Covered Entity Media Fine Amount Violation
Alaskan Department of
Health and Social Services
$1.7 million
Portable unsecured electronic
storage device (USB hard drive)
possibly containing PHI was stolen
from the vehicle of a DHHS
employee
Puerto Rican insurer
Triple S Salud
$6.8 million
Mailed a pamphlet displaying the
Medicare Health Insurance Claim
Number of approximately 70,000 of
its Medicare Advantage
beneficiaries.
WellPoint (aka Anthem),
Blue Cross Blue Shield
plans in 14 states
$1.5 million
Cyber attack data breach affecting
80 million customers resulting in
account information stolen
Stanford University's Lucile
Packard Children's Hospital
$4.0 million
Stolen unencrypted laptop
containing medical information on
13,000 pediatric patients
6. 5
HIPAA impacts not only large entities but also much smaller organizations…
Covered Entity Media Fine Amount Violation
Skagit County, State of
Washington
$215,000
Electronic receipts for 1,600
patients containing their protected
health information had been
improperly placed online and
accessed.
Massachusetts medical
billing practice and four
pathology groups
$140,000
Sensitive medical records and
confidential billing information for
tens of thousands of Massachusetts
patients were improperly disposed
of at a public dump
Phoenix Cardiac Surgeons,
LLC
$100,000
Group’s clinical and surgical
appointments were available to the
public on an Internet-based
calendar
Cornell Prescription
Pharmacy
$125,000
Disposal of unshredded documents
containing the protected health
information of 1,610 patients in an
open dumpster.
7. 6
Several major brands have suffered bad publicity and damage…
Anthem BlueCross BlueShield – data
breach affecting 80 million members
Advocate HC – stolen unencrypted
laptops affecting 4 million patients
Walgreens – employee breach of
customer data for personal gain
Premera BlueCross BlueShield – data
breach affecting 11 million members
Sony Pictures – data breach impacting
health records of 30,000 employees
BCBS TN – 57 hard drives stolen
impacting 1 million members
8. 7
Not only does HIPAA impact entitles, it reaches down to the employee level -
loss of job, personal fines, and prison time.
UCLA Medical Center – 4 months in
prison for illegally viewing PHI
NE Arkansas nurse fired, sentenced to
probation for illegally viewing PHI
Dentist paid $12,000 for dumping files
on an unsecured basis
University of Iowa Hospital – 4
employees fired for illegally viewing PHI
East TX Hospital employee sentenced
to 18 months for illegally viewing PHI
Lake Health (OH) fired several
employees for illegally viewing PHI
9. 8
Your strategy for HIPAA as it pertains to selling to providers…
The best defense is a good offense.
10. 9
Proactively address HIPAA and be ready to go
Market requirements will require you to become HIPAA compliant
• If you are working with providers and their patient data, it will be mandatory that
you are compliant with HIPAA.
• You will avoid lengthy hospital provider conversations, especially with the
hospital compliance office.
• You will be able to take this risk off of the table in your business development
meetings.
• You will have to sign a Business Associates Agreement (BAA) and agree to
Master Services Agreement (MSA) language with warranties, representations,
and indemnification regarding all aspects of HIPAA.
Be prepared to talk to the following people as they will vet your solution for
HIPAA
• Chief Medical Officer
• Chief Information Officer
• Chief Medical Information Officer
• Chief Information Security Officer
• Chief Compliance Officer
11. 10
High Level HIPAA Roadmap
Become compliant with HIPAA
• Develop an enterprise fluent understanding of HIPAA
• Embed HIPAA into your culture and operations
• Develop game plan to implement HIPAA requirements
• Completely document your HIPAA efforts
• At this stage, you are compliant with HIPAA
Ultimately, you will need to achieve HIPAA Compliance
• Conduct a HIPAA self assessment
• When ready, contract out and conduct a HIPAA audit
• The HIPAA audit and successful audit remediation will achieve HIPAA
Compliance
• If successful, the satisfactory audit report will be your certification
12. 11
How do you become HIPAA Compliant?
Here’s the blueprint.
13. 12
What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 was enacted by the United States
Congress and signed by President Bill Clinton on August 21, 1996. It has been known as the Kassebaum-
Kennedy Act after two of its leading sponsors.
Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose
their jobs. Title I also regulates the availability and breadth of group health plans and certain individual
health insurance policies.
Title II of HIPAA defines policies, procedures and guidelines for maintaining the privacy and security of
individually identifiable health information as well as outlining numerous offenses relating to health care and
sets civil and criminal penalties for violations. It also creates several programs to control fraud and abuse
within the health care system.
However, the most significant provisions of Title II are its Administrative Simplification rules. Title II requires
the Department of Health and Human Services (HHS) to draft rules aimed at increasing the efficiency of the
health care system by creating standards for the use and dissemination of health care information.
These rules apply to "covered entities" as defined by HIPAA and the HHS. Covered entities include health
plans, health care clearinghouses, such as billing services and community health information systems, and
health care providers that transmit health care data in a way that is regulated by HIPAA.
Per the requirements of Title II, the HHS has promulgated rules regarding Administrative Simplification: the
Privacy Rule, the Transactions and Code Sets Rule, the Security Rule, the Unique Identifiers Rule, the
Breach Notification Rule, and the Enforcement Rule.
Source: Wikipedia,.
14. 13
Four major rules to understand on the path to HIPAA Compliance…
HIPAA Privacy
Rule
HIPAA Breach
Notification Rule
HIPAA
Enforcement
Rule
• HIPAA Privacy Rule establishes national standards to protect individuals’ medical records
and other PHI. Requires appropriate safeguards to protect PHI privacy and sets
conditions/limits/disclosures with patient authorization. Defines patients’ rights regarding
access to their records.
• HIPAA Breach Notification Rule requires most healthcare providers to notify patients when
there is a breach of unsecured PHI. Requires the entities to promptly notify HHS if there is
any breach of unsecured PHI and notify the media/public if the breach affects more than 500
patients.
• HIPAA Enforcement Rule spells out investigations, penalties, and procedures for hearings.
Penalties can include fines and/or prison time.
Overview and key points
HIPAA Security
Rule
• HIPAA Security Rule requires appropriate Administrative, Physical, and Technical
Safeguards to ensure confidentiality, integrity, and security of protected health information
(PHI).
15. 14
The HIPAA Privacy Rule provides the definitions of compliance…
Privacy Rule
Rule Summary
• The Privacy Rule addresses the use and disclosure of individual’s Protected Health Information (PHI) by organizations
subject to the Privacy Rule (Covered Entities) as well as standards for individuals privacy rights to understand and
control how their PHI is used.
• A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the
flow of health information needed to provide and promote high quality health care and to protect the public’s health and
well being.
• The Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services has the responsibility for
promoting and enforcing the Privacy Rule.
Health Plans
Health Plan Covered Entities include
individual and group health insurance
plans that provide or pay the cost of
medical care including health, dental,
vision, prescription drug insurers,
health maintenance organizations,
Medicare, Medicaid, Medicare
supplemental insurers, and long-term-
care insurers.
Health Care Providers
All health care providers who provide
medical or health services, regardless
of size, who electronically transmit
health information in connection with
certain transactions. Transactions
include claims, benefit eligibility,
referral authorization, and other
HIPAA transactions.
Health Care Clearinghouses
Entities that process non-standard
information they receive from another
entity. Clearinghouses only receive
PHI only when they are providing
services to a Health Plan or Health
Care Provider. Clearinghouses
include billing services, community
health management information
systems, and repricing companies.
Who are the Covered Entities subject to the Privacy Rule?
16. 15
Know the Privacy Rule Definitions
Term Definition
Protected Health
Information (PHI)
All individually identifiable health information held or transmitted by a Covered Entity or its
Business Associate in any form or media including electronic or paper. PHI includes any
information that relates to the individuals’ past, present, or future physical or mental
health/condition as well as the provision of past, present, or future provision or payment for
health care to the individual that identifies the individual or there is a reasonable basis to
identify the individual.
Business Associate
Person or organization that performs certain functions or activities on behalf or to a covered
entity that includes the use or disclosure of PHI and can include claims processing, data
analysis, utilization review, legal, actuarial, consulting, accounting, data aggregation,
management, administrative, accreditation, or financial services.
Business Associate
Agreement (BAA)
Agreement necessary to be put in place when a Covered Entity engages a Business
Associate perform functionality that requires access or exposure to PHI.
De-Identified Health
Information
De-Identified Health Information neither identifies or provides a reasonable basis to identify
the individual. There are two ways to de-identify PHI: 1) a formal determination by an expert;
or 2) the removal of specified identifiers of the individual.
Authorization
A Covered Entity must obtain the individual’s written authorization for any use or disclosure
of PHI that is not for payment, treatment, or operations. The Covered Entity may not
condition payment, treatment, or operations on an individual granting authorization.
Communication for treatment of the individual or care coordination for the individual to
recommend treatment are not subject to Authorization.
Minimum Necessary
A Covered Entity must make reasonable efforts to use, disclose, and request only the
minimum amount of PHI to accomplish the intended purpose of the use, disclosure, or
request. The Covered Entity must develop/implement a Minimum Use Policy and Procedure.
17. 16
Understand Privacy Rule – Permitted Uses and Disclosures of PHI
Permitted
Uses and
Disclosures
Individual
Payment,
Treatment,
Operations
Permitted by
Individual
Incidental
Use and
Disclosure
Public
Interest and
Benefit *
De-Identified
Limited Data
Set
Basic Principle
A major use of the Privacy Rule is to define
and limit the circumstances in which a
individual’s PHI may be used or disclosed by
Covered Entities.
Required Disclosures
A Covered Entity must disclose PHI in two
situations: 1) upon request by the individual;
2) to HHS when undertaking a compliance
investigation.
Permitted Use and Disclosures
A Covered Entity is permitted but not
required to use and disclose PHI without and
individual’s authorization for the reasons
listed in the diagram to the right.
* Public Interest and Benefit
Includes required by law, public health,
abuse or domestic violence cases, law
enforcement, research, worker’s comp,
serious threat to health/safety, etc.
18. 17
The Privacy Notice is a key component of the Privacy Rule.
Each Covered Entity must provide a copy of its Notice of Privacy Practices and it must contain the following elements:
• Describe the ways in which the Covered Entity may use and disclose PHI.
• State the Covered Entity’s duties to protect privacy
• Provide a notice of privacy practices and abide by the current notice
• Describe the individual’s rights including the right to complain to HHS and the Covered Entity if they believe their privacy
rights have been violated.
• Include a point of contact for further information and for making complaints
In addition to the Privacy Notice, individuals have the following rights with regards to PHI held by a Covered Entity:
• Access – To review and obtain a copy of their PHI in the Covered Entity’s dataset
• Ability to Amend PHI – To have Covered Entities amend their PHI when they feel the information is inaccurate or incorrect
• Disclosure Accounting – Access to an accounting of the disclosures of their PHI by a Covered Entity for a maximum of six
years.
• Restriction Request – To request that a Covered Entity restrict use or disclosure of PHI for payment, treatment, and
operations. However, Covered Entity is under no obligation to agree to requests for restrictions.
19. 18
Action Description Implementation
Privacy
Policies and
Procedures
Covered Entity must develop and implement written privacy policies and
procedures.
Develop Policies and
Procedures manual
Privacy
Personnel
Covered Entity must designate a privacy official responsible for developing and
implementing privacy policies and procedures and also provide a contact
person for receiving complaints and inquiries.
Assign this duty to a
company leader
Policies and
Procedures
Workforce
Training and
Management
Covered Entity must train all employees on its policies and procedures which
include sanctions for policy violations.
Training program
Sourced Computer
Based Training
Mitigation
Covered Entity must mitigate any harmful effect that was caused by use or
disclosure of PHI in violation of its Policies and Procedures or the Privacy Rule.
Business/IT functional
response as needed
Data
Safeguards
Covered Entity must maintain administrative, technical, and physical safeguards
to prevent intentional or unintentional of PHI in violation of its Policies and
Procedures or the Privacy Rule.
See Security Rule for
implementation.
Complaints
Covered Entity must have procedures for individuals to complain about its
compliance with its policies and procedures and the Privacy Rule.
Policies and
Procedures
Implement at the web
HIPAA Privacy Rule – implementation
20. 19
HIPAA Privacy – implementation continued
Action Description Implementation
Documentation
and Record
Retention
Covered Entity must maintain for at least six years its privacy policies and
procedures, its privacy practices notices, disposition of complaints, and other
actions that the Privacy Rule requires to be documented.
Policies and
Procedures
Store historical
information on Cloud
Privacy Policy
Covered Entity must establish and publish its Privacy Policy with the elements
listed per the Privacy Rule. Typically, the Privacy Policy is linked from the
company website.
Policy and Procedure
Post Privacy Policy on
the web.
Retaliation and
Waiver
Covered Entity may not retaliate against a person for exercising rights provided
by the Privacy Rule, for assisting with an investigation by HHS, or opposing an
action that the person believes in good faith violates the Privacy Rule.
Policy and Procedure
21. 20
HIPAA defines the way PHI breaches are handled.
Breach Notification Rule
Definition of PHI Breach
Unauthorized use or disclosure of unsecured protected health information unless the HIPAA
covered entity can demonstrate that the probability of the PHI being compromised is a low
probability
To show low probability, a risk assessment should be completed:
1. What kind of PHI was involved – identifiers and likelihood of re-identification?
2. Who was the person who had the unsecured PHI?
3. What was the PHI that was actually viewed?
4. What is the actual risk to the PHI?
Three exceptions to the definition of Breach:
1. Unintentional access to the PHI in the workplace or acting under the authority of the Covered
Entity
2. Accidental disclosure of PHI by someone who is authorized to access the PHI
3. Covered Entity has a good belief that the person who accessed the PHI was unauthorized and
was not able to retain the PHI
22. 21
There are specific steps to notify those affected by a breach.
• Breach Notification should be sent to the affected individuals by first class mail or email if the
individual has selected this method.
• Must be sent out within 60 days of discovery of the breach.
• Notification should include:
- Description of breach
- Type of information breached
- Steps individuals need to take to protect themselves
- Steps the Covered Entity is taking to investigate and prevent further breaches
• If the individual contact information is out of date for more than 10 individuals, then the Covered
Entity is required to post a notice on its website for 90 days or send a media notice. Toll free
number needs to be posted.
• Media notice is required in addition to individual notification.
• Media notice takes the form of a press release within 60 days to the media outlets that serve the
areas that are affected.
• Notification of the breach also needs to be sent to the office of the U.S. Secretary of Health and
Human Services (HHS).
• An investigation by the Office for Civil Rights under HHS may be initiated to determine cause
as well as potential penalties under the Enforcement Rule.
More than 500
individuals
23. 22
HIPAA defines the penalties for breaches.
Enforcement Rule
Violation Category Penalty for Each Violation
Maximum for All Violations of
an Identical Provision in a
Calendar Year
Did Not Know $100 - $50,000 $1,500,000
Reasonable Cause $1,000 - $50,000 $1,500,000
Willful Neglect – Corrected $10,000 - $50,000 $1,500,000
Willful Neglect – Not Corrected $50,000 $1,500,000
• HHS is mandated to conduct HIPAA investigations if a preliminary review indicates a potential violation
is due to willful neglect. Otherwise, investigations are discretionary.
• HHS will not impose the maximum penalty in all cases but will determine the fine amount on a case by
case basis depending upon the nature and extent of the violation, the nature and extent of resulting
harm, the history of non-compliance of the entity, and the financial condition of the entity.
• Previous history of non-compliance is major factor as HHS will use the history as either a mitigating or
punitive factor.
• The Enforcement Rule prohibits the imposition of a civil monetary penalty for any violation of than willful
neglect if the violation is corrected within 30 days of the entity realization of the violation.
24. 23
The Security Rule defines requirements to protect PHI.
Security Rule
Technical
Safeguards
Physical Safeguards
Administrative
Safeguards
1. Access Control
2. Audit Controls
3. Integrity
4. Authentication
5. Transmission Security
1. Facility Access Control
2. Workstation Use
3. Workstation Security
4. Device and Media Controls
1. Security Management Process
2. Assigned Security Responsibility
3. Workforce Security
4. Information Access Management
5. Security Awareness and Training
6. Security Incident Procedures
7. Contingency Plan
8. Evaluation of Business/Law
Changes
9. BAA Contracts and Other
Agreements
Technical Safeguards focus on the
technology that protects PHI and
controls access to it. The standards of
the Security Rule do not require you to
us specific technologies and are
designed to be “technology neutral.”
Physical Safeguards are a set of rules
and guidelines that focus on the
physical access to PHI.
Administrative Standards are a
collection of policies and procedures
that govern the conduct of the
workforce and the security measures
put in place to protect PHI.
25. 24
HIPAA Security Rule - implementation
Safeguard Standard Action Description Implementation
Access
Control
Unique User
Identification
Assign a unique name and/or number for
identifying and tracking user identity
User authentication
Access
Control
Emergency
Access
Procedure
Establish procedure for obtaining necessary PHI
during an emergency.
Policy and Procedure
Business process set up to fulfill
requests
Access
Control
Automatic Logoff
Implement electronic procedures that terminate
an electronic session after a predetermined time
of inactivity
Build timeout into technology
Access
Control
Encryption and
Decryption
Implement technology to encrypt and decrypt
data both at rest and in transmission
Database encryption
Audit Controls Audit Controls
Implement hardware, software, and/or
procedural mechanisms to corroborate that
record and examine activity in information
systems that contain or use PHI
Build logging and audit
capability
Integrity
Mechanism to
Authenticate PHI
Implement electronic mechanisms to
corroborate that PHI has not been altered or
destroyed in an unauthorized manner.
Build tracking, logging, and
audit into technology
Authentication Authentication
Implement procedures to verify that a person or
entity seeking access to PHI is the one claimed
Build user authentication in
technology
26. 25
HIPAA Security Rule - implementation
Safeguard Standard Action Description Implementation
Transmission
Security
Integrity
Controls
Implement security measures to ensure that
electronically transmitted PHI is not improperly
modified without detection until disposed of.
Build audit, logging, and
tracking in technology
Transmission
Security
Encryption
Implement a mechanism to encrypt PHI whenever
deemed appropriate.
Encrypt data wherever needed
Facility Access
Controls
Contingency
Operations
Establish (and implement as needed) procedures
that allow facility access in support of restoration
of lost data under the Disaster Recovery Plan and
emergency mode operations in the event of an
emergency.
Develop and test DR/BC plan
Facility Access
Controls
Facility Security
Plan
Implement policies and procedures to safeguard
the facility and the equipment therein from
unauthorized physical access, tampering, and
theft.
Alarm systems
Keys policy
Facility Access
Controls
Access Control
and Validation
Procedures
Implement procedures to control and validate a
person’s access to facilities based upon their role
or function, including visitor control, and control
of access to software programs for testing and
revision.
Policy and Procedure
Role based access
Business process to support
Facility Access
Controls
Maintenance
Records
Implement policies and procedures to document
repairs and modifications to the physical
components of a facility which are related to
security (e.g., hardware, walls, doors, and locks).
Policy and Procedure
Alarm system
Keys policy
27. 26
HIPAA Security Rule - implementation
Safeguard Standard Action Description Implementation
Workstation
Use
Workstation Use
Implement policies and procedures that specify
the proper functions to be performed, the manner
in which those functions are to be performed,
and the physical attributes of the surroundings of
a specific workstation or class of workstation
that can access PHI.
Policies and Procedures
Workstation
Security
Workstation
Security
Implement physical safeguards for all
workstations that access PHI, to restrict access
to authorized users.
Laptop encryption
No laptop PHI
Policy and Procedure
Device and
Media Controls
Disposal
Implement policies and procedures to address
the final disposition of PHI and/or the hardware
or electronic media on which it is stored.
Policy and Procedure
Build PHI destruction in the
database
Device and
Media Controls
Media Re-Use
Implement procedures for removal of PHI from
electronic media before the media are made
available for re-use
Flash drive/CD destruction
Policy and Procedure
Device and
Media Controls
Accountability
Maintain a record of the movements of hardware
and electronic media and any person responsible
therefore.
Develop record database,
maintain database, and store on
the network
Security
Management
Process
Risk Analysis
Perform and document a risk analysis to see
where PHI is being used and stored in order to
determine all the ways that HIPAA could be
violated.
Perform Risk Analysis using
Risk Analysis Tool
28. 27
HIPAA Security Rule - implementation
Safeguard Standard Action Description Implementation
Security
Management
Process
Risk
Management
Implement sufficient measures to reduce these
risks to an appropriate level.
Policies and Procedures
Security
Management
Process
Sanction Policy
Implement sanction policies for employees who
fail to comply.
Policy and Procedure
Security
Management
Process
Information
Systems Activity
Review
Regularly review system activity, logs, audit
trails, etc.
Business process to review logs
Assigned
Security
Responsibility
Officer Designate HIPAA Security and Privacy Officers.
Assign this role to a company
leader
Workforce
Security
Employee
Oversight
Implement procedures to authorize and supervise
employees who work with PHI, and for granting
and removing PHI access to employees. Ensure
that an employee’s access to PHI ends with
termination of employment.
Policy and Procedure
Business process to support
Information
Access
Management
Multiple
Organizations
Ensure that PHI is not accessed by parent or
partner organizations or subcontractors that are
not authorized for access.
Put BAA in place for appropriate
organizations
29. 28
HIPAA Security Rule - implementation
Safeguard Standard Action Description Implementation
Security
Awareness and
Training
Security
Reminders
Periodically send updates and reminders about
security and privacy policies to employees.
Annual employee training
Develop ongoing HIPAA
program for employees
Security
Awareness and
Training
Protection
Against Malware
Have procedures for guarding against, detecting,
and reporting malicious software.
Implementation of firewalls,
anti-virus, and other security
protections
Security
Awareness and
Training
Password
Management
Ensure that there are procedures for creating,
changing, and protecting passwords.
Create and implement password
change policy
Security
Awareness and
Training
Login Monitoring
Institute monitoring of logins to systems and
reporting of discrepancies.
Build logging and monitoring
into technology
Security
Incident
Procedures
Response and
Reporting
Identify, document, and respond to security
incidents.
Policy and Procedure
Security business process
Contingency
Plan
Contingency
Plan
Ensure that there are accessible backups of PHI
and that there are procedures for restoration of
any lost data.
Create frequent backups for the
database
Contingency
Plan
Contingency
Plans Updates
and Analysis
Have procedures for periodic testing and revision
of contingency plans. Assess the relative
criticality of specific applications and data in
support of other contingency plans components.
Test DR/BC plans
30. 29
HIPAA Security Rule - implementation
Safeguard Standard Action Description Implementation
Contingency
Plan
Emergency Mode
Establish (and implement as needed) procedures
to enable continuation of critical business
procedures for protection of the security of PHI
while operating in emergency mode.
DR/BC Plan
Evaluations Evaluations
Perform periodic evaluations to see if any
changes in your business or the law require
changes to your HIPAA compliance procedures.
HIPAA seminars and education
Business
Associate
Agreements
Business
Associate
Agreements
Have special contracts with business partners
who will have access to your PHI in order to
ensure that they will be compliant. Choose
partners that have similar agreements with any of
their partners to which they are also extending
access.
BAA
31. 30
Summary - Achieving HIPAA Compliance
Key Activities
• Develop HIPAA Policies and
Procedures and implement
• Name Chief Compliance Officer
• Implement enterprise training for Policy
and Procedures
• Mandatory annual HIPAA training for
employees and onboarded new
employees
• Put BAA agreements in place with both
vendors and customers
• Develop security measures for laptops
including encryption
• Implement ongoing HIPAA employee
communication program
• Post Privacy Notice on website
• Build into technology
- Database encryption – at rest and
in transit
- Role Based Access to systems
- Authentication – two factor
- Access audit records
- Documented technology
configurations
- Data corroboration
• Develop Breach Notification Plan
• Conduct preliminary enterprise risk
assessment and analysis using National
Institute of Standards and Technology
(NIST) Assessment Tool
• Remediate any issues flagged by the
NIST Assessment Tool
• When ready, contract out for a HIPAA
Compliance Audit.
• Remediate any issues flagged by the
audit.
• Receive final Compliance Audit report
showing documented HIPAA compliance
• Maintain and adhere to HIPAA Policies
and Procedures
• Maintain ongoing employee HIPAA
program
• Defend against PHI breaches.
• Conduct periodic Risk Assessments
• Prepare for and assist with any customer
HIPAA audits
• Respond, if necessary, to any and all
breaches.
• Achieve SOC 2 compliance
Become HIPAA compliant Achieve HIPAA Compliance HIPAA Maturity
32. 31
When in doubt, go to the source
https://www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/HIPAAGenInfo/index.html