SlideShare a Scribd company logo

how to really implement hipaa presentation

Download as PPTX, PDF
Provider Resources Group
Provider Resources Group

This document provides information on how to implement HIPAA compliance. It begins by explaining what HIPAA is and who it impacts, such as health care providers, health plans, and clearinghouses. It defines protected health information and the obligations of covered entities and business associates. It emphasizes the importance of having business associate agreements, security policies, training programs, and conducting audits. It provides tips for securing data transmission, backups, access controls, and shredding paper records. The document stresses that HIPAA compliance is essential to avoid penalties for violations and data breaches.

Healthcare
1 of 30
HOW TO REALLY IMPLEMENT HIPAA Presented by: Melissa Skaggs Provider Resources Group
WHAT IS HIPAA  The Health Insurance Portability and Accountability Act of 1996 (HIPAA; Pub.L. 104–191, 110 Stat. 1936, enacted August 21, 1996) was enacted by the United States Congress and signed by President Bill Clinton in 1996. It has been known as the Kennedy-Kassebaum Act after two of its leading sponsors. Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers.  This act gives the right to privacy to individuals from age 12 through 18. The provider must have a signed disclosure from the affected before giving out any information on provided health care to anyone, including parents.  The administrative simplification provisions also address the security and privacy of health data. The standards are meant to improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in the U.S. health care system. www.wikipedia.com
WHO IS IMPACTED? DO I NEED TO CARE? Health care providers – A provider of medical, psychiatric, or other health services, and any other person or entity furnishing health care services or supplies. Health plans – an individual or group health plan that provides or pays the cost of medical care. Clearinghouses – A public or private entity that processes or facilitates the processing of non-standard data elements of health information into standard data elements and who transmits any health information in electronic form in connection with a transaction covered in the legislation. Business Associates and Trading Partners
WHAT IS PROTECTED HEALTH INFORMATION A person’s name, address, birth date, age, phone and fax numbers, e-mail address Medical records, diagnosis, x-rays, photos, prescriptions, lab work, test results Billing records, claim data, referral authorizations, explanation of benefits Research records Past, Present or Future condition or payment
Covered Entity (CE) Any business entity that must comply with HIPAA regulations, which includes health- care providers, health plans and health-care clearinghouses. For purposes of HIPAA, health-care providers include hospitals, physicians and other caregivers. This would include: County Boards of DD  Private Providers  Agency Providers  Therapy Providers  Nursing Providers  Behavioral Support Providers
Business Associate (BA) A person or organization that performs a function or activity on behalf of a covered entity, but is not part of the covered entity's workforce. A business associate can also be a covered entity in its own right. This would include any VENDOR or CONTRACTOR that comes in contact with individuals or their information. Some examples…… Billing Agents IT Providers Software Providers (Intellinetics, Gatekeeper, CareTracker, Solona to name a few) Shredding Companies Contracted Service Providers COGS Housing Providers A Covered Entity must have a Business Associate Agreement on file for all vendors classified as a Business Associate
Must establish the permitted and required uses and disclosures of protected health information by the business associate and may not authorize further disclosure in violation of the regulations If the covered entity knows of a practice or pattern of activity that constitutes a material breach of the business associate’s obligations under the contract, the covered entity must take reasonable steps to ensure cure of the breach or terminate the contract or report the problem to the Office of Civil Rights BUSINESS ASSOCIATES CONTRACTS MUST………
BUSINESS ASSOCIATES OBLIGATIONS Must not use or disclose protected health information in violation of the law or contract. Implement safeguards against improper use or disclosure. Ensure that any agents or subcontractors agree to fulfill contractual and legal obligations. Afford individual access to records; make available records for amendment by the individual; account to the individual for use or disclosure other than for payment, treatment, or operations. At termination of the contract, return or destroy protected health information.
What do We Need to Be Thinking About???????
JUST GIVE ME THE POLICIES ALREADY Policies should reflect how your organization is handling the requirements of HIPAA These policies should be reviewed annually at a minimum to ensure that the policy is staying current with the organization and technology Staff MUST be trained on HIPAA policies at least annually; keeping it out in front on staff needs to be on going
Hardware, Software and Transmission Security  Organizations should have a hardware firewall in place. Transmission of personal information should be encrypted and comply with HIPAA. Policies should cover the updating of hardware, firmware, operating systems and applications. Disaster Backup and Recovery Plans  Policies and Procedures should include a Disaster Backup and Recovery plan to ensure the business can continue operations in the event of a disaster. This includes keeping the business running, recovering lost data, testing of backup procedures and replacement of equipment. Training of Staff  Organizations should provide a training program to raise awareness of HIPAA rights. Every individual in the organization must be trained on a regular basis. Training should be provided to include employee awareness, password safeguarding and changing, workstation access, software use, virus and malware information and other mission critical operations. Record and Information Access  Policies should define roles on who can have what access to programs and information. These policies should further define the roles in information technology of the IT personnel who have the rights to modify the access.
Some things to think about with Data Security Secure Email System - Encryption Secure File Transfer Secure Website for Data transfer (if applicable) Do we have a written Disaster Backup and Recovery Plan Where is it Who’s in charge of the plan Have you tested your plan Do you provide HIPAA training to all new staff and ongoing refresher trainings (so it’s always kept out in front of staff)…do you test your staff Who has access to staff and consumer information Secure passwords(complex, set change schedule) Systems set up so a user can access only needed information Files saved with Password Protection
DO YOU AUDIT YOUR HIPAA PROCESS An audit process should be in place for your HIPAA process. It should include Hardware Software Data Controls Department of Health and Human Services requires the Office of Civil Rights (OCR) to audit covered entities and business associates compliance with HIPAA Privacy, Security and Breach Notification Rules (See Audit Program Protocol)Organizations responsible for HIPAA-covered data now face one-in-20 odds of facing a HIPAA audit
SHREDDING PAPER THE HIPAA WAYIn general, examples of proper disposal methods may include, but are not limited to: • For PHI in paper records, Shredding Burning Pulping Pulverizing PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed. • Maintaining labeled prescription bottles and other PHI in opaque bags in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI. • For PHI on electronic media, clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding).
SECURITY FOR THOSE ON THE Step 1: Assess your mobile users – Understanding your users and their use cases is the first step toward HIPAA compliance. Mobile devices are becoming increasingly common as the industry rapidly converts from paper to electronic media. Because of this, IT must now support a wide variety of ePHI, including electronic patient records, email, multiple provider health care records and clinical drug trial results. This mission is complicated by device ownership. In typical scenarios, IT supports staff using personal devices to access sensitive information. Now, in some cases—IT also issues user devices. Documenting the flow of health care information to and from users and their mobile devices is the upfront work that has to be completed before IT can develop a comprehensive security strategy for remote access of ePHI.
Step 2: Bulletproof your security strategy Privacyrights.org reported that in 2007 46 health care data breaches occurred, involving 62 stolen or lost laptops with five million identities compromised. The publicity surrounding these breaches has motivated many IT organizations to develop a strategy to secure their laptops with data encryption and password protection. Unfortunately, the same cannot be said for handheld devices. What organizations may miss is that rapidly evolving smartphones and PDAs are quickly becoming the everyday PC, with multiple modes of communication, significant processing power and large storage capabilities. This by itself makes today's mobile devices subject to the same risks as laptops. However, handheld mobile devices have several characteristics that make them even more vulnerable than laptops. Their small size makes them substantially more likely to be lost or stolen, and their low cost enables users to easily replace them if lost. Unlike IT-issued laptops, users do not have a compelling reason to report a data breach if they can easily replace the device for a low cost.
Step 3: Build your security solution Unfortunately, the CMS guidance creates multiple technical challenges for IT departments including endpoint security, network access control and user compliance. So what should IT look for in a solution? Laptop support is a must, but ultimately full HIPAA compliance also requires robust support across a diverse set of handheld mobile devices, use cases and ownership scenarios. The ideal system must include:  A self-service portal to allow end-users to load security software and policies on personal devices.  A flexible device agent that enables IT to secure and manage a wide variety of device platforms for phones and tablets.  Policy-controlled security that protects against hacker access and device loss.  A centralized management console with integrated help desk capabilities to simplify policy implementation and user support.  A compliance management and reporting facility to ensure users adhere to IT policy
Step 4: Enforce your policies An organization's HIPAA security policies are only effective if users comply with them — so make sure that your mobile device security policies are understood, by all users and enforced. OCR will be looking to ensure that policies were followed if there is a data breach. Policies need to be enforced with no respect to person/position.
Step 5: Go public Advertise your efforts in HIPAA compliance Marketing Material Website County and State agencies Individuals and Families served
SO WHAT ARE THEY REALLY LOOKING FOR  Employee training and review  Vigilant implementation of policies and procedures  Regular internal audits  Prompt action plan to respond to incidents  Risk analysis and ongoing risk management (Security Rule) OCR Presentation February 2014
SCAN…..ITS A BIG DEAL One sure fire way of protecting yourself in a disaster, audits or HIPAA is to scan documents Lots of options out there for scanning and Protecting the information Any IMPORTANT paper that cannot be recreated needs to be scanned Some are here at the conference…check them out
HIPAA BREACH
REAL LIFE VIOLATIONS Initial early penalties for HIPAA violations were described as a "joke," with most enterprises unmoved by the risk of paying out potential settlements. However, the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act in February 2009 completely changed this attitude, with HIPAA penalties now reaching millions of dollars. Cases in point: Cignet's $4.3 million fine in 2011 for denying patients access to medical records $1.5 million fine to Massachusetts Eye and Ear Infirmary for a data compromise involving a lost laptop. http://www.hhs.gov/ocr/privacy/hipaa/administrat ive/breachnotificationrule/breachtool.html
HIPAA COMPLIANCE/ENFORCEMENT (AS OF DECEMBER 31, 2012) TOTAL (since 2003) Complaints Filed 77,200 Cases Investigated 27,500 Cases with Corrective Action 18,600 Civil Monetary Penalties & Resolution Agreements (since 2008) $14.9 million Information from OCR Presentation to Tech Alliance February 2014
Theft – Unauthorize d Access or Disclosure Loss – Hacking Imprope r Disposa l Unknow n
Location of Breach Laptop Paper Records Desktop Computer Portable Devices Network Server Other Email EMR
ONE FINAL THOUGHT FROM OCR OCR Investigator – Wandah Hardy
IT’s A WRAP

Recommended

HIPAA eBOOK: Avoid Common HIPAA Violations
HIPAA eBOOK: Avoid Common HIPAA Violations HIPAA eBOOK: Avoid Common HIPAA Violations
HIPAA eBOOK: Avoid Common HIPAA Violations
OnRamp
 
HIPAA Basic Healthcare Guide
HIPAA Basic Healthcare GuideHIPAA Basic Healthcare Guide
HIPAA Basic Healthcare Guide
Wirehead Technology
 
The Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceThe Startup Path to HIPAA Compliance
The Startup Path to HIPAA Compliance
Jim Anfield
 
Hi paa and eh rs
Hi paa and eh rsHi paa and eh rs
Hi paa and eh rssupportc2go
 
Hipaa audits and enforcement
Hipaa audits and enforcementHipaa audits and enforcement
Hipaa audits and enforcementsupportc2go
 
Hipaa omnibus
Hipaa omnibusHipaa omnibus
Hipaa omnibus
wardell henley
 
Hipaa for business associates simple
Hipaa for business associates simpleHipaa for business associates simple
Hipaa for business associates simple
Jose Ivan Delgado, Ph.D.
 
Application Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA ComplianceApplication Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA Compliance
TrueVault
 

Recommended

HIPAA eBOOK: Avoid Common HIPAA Violations
HIPAA eBOOK: Avoid Common HIPAA Violations HIPAA eBOOK: Avoid Common HIPAA Violations
HIPAA eBOOK: Avoid Common HIPAA Violations
OnRamp
 
HIPAA Basic Healthcare Guide
HIPAA Basic Healthcare GuideHIPAA Basic Healthcare Guide
HIPAA Basic Healthcare Guide
Wirehead Technology
 
The Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceThe Startup Path to HIPAA Compliance
The Startup Path to HIPAA Compliance
Jim Anfield
 
Hi paa and eh rs
Hi paa and eh rsHi paa and eh rs
Hi paa and eh rssupportc2go
 
Hipaa audits and enforcement
Hipaa audits and enforcementHipaa audits and enforcement
Hipaa audits and enforcementsupportc2go
 
Hipaa omnibus
Hipaa omnibusHipaa omnibus
Hipaa omnibus
wardell henley
 
Hipaa for business associates simple
Hipaa for business associates simpleHipaa for business associates simple
Hipaa for business associates simple
Jose Ivan Delgado, Ph.D.
 
Application Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA ComplianceApplication Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA Compliance
TrueVault
 
Hipaa checklist for healthcare software
Hipaa checklist for healthcare softwareHipaa checklist for healthcare software
Hipaa checklist for healthcare software
Concetto Labs
 
Dental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business AssociatesDental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business Associates
gppcpa
 
Assessing Your Hosting Environment for HIPAA Compliance
Assessing Your Hosting Environment for HIPAA ComplianceAssessing Your Hosting Environment for HIPAA Compliance
Assessing Your Hosting Environment for HIPAA Compliance
Hostway|HOSTING
 
Information governance
Information governanceInformation governance
Information governance
Gerardo Medina
 
HIPAA 101 for Startups
HIPAA 101 for StartupsHIPAA 101 for Startups
HIPAA 101 for Startups
Obaa, Inc.
 
HIPAA Security 2019
HIPAA Security 2019HIPAA Security 2019
HIPAA Security 2019
Jose Ivan Delgado, Ph.D.
 
Information Governance – What Does a Modern Program Look Like?
Information Governance – What Does a Modern Program Look Like?Information Governance – What Does a Modern Program Look Like?
Information Governance – What Does a Modern Program Look Like?
Winston & Strawn LLP
 
Avior Healthcare Security Compliance Webcast Final1
Avior Healthcare Security Compliance Webcast Final1Avior Healthcare Security Compliance Webcast Final1
Avior Healthcare Security Compliance Webcast Final1
jhietala
 
SME- Developing an information governance strategy 2016
SME- Developing an information governance strategy 2016 SME- Developing an information governance strategy 2016
SME- Developing an information governance strategy 2016
Hybrid Cloud
 
Igs animation s;lide
Igs animation s;lideIgs animation s;lide
Igs animation s;lideRecommind
 
HIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule PlaybookHIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule Playbook
Elizabeth Dimit
 
Information Governance
Information GovernanceInformation Governance
Information Governance
Lorne Rogers, ECM-M, PMP [Open Networker]
 
Managing Privacy Risk and Promoting Ethical Culture in the Digital Age
Managing Privacy Risk and Promoting Ethical Culture in the Digital AgeManaging Privacy Risk and Promoting Ethical Culture in the Digital Age
Managing Privacy Risk and Promoting Ethical Culture in the Digital Age
Perficient, Inc.
 
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudPerspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudCheryl Goldberg
 
Updated Healthcare Industry Compliance Presentation
Updated Healthcare Industry Compliance PresentationUpdated Healthcare Industry Compliance Presentation
Updated Healthcare Industry Compliance Presentation
Thomas Bronack
 
Cyber Risk in Healthcare Industry- Are you Protected?
Cyber Risk in Healthcare Industry- Are you Protected? Cyber Risk in Healthcare Industry- Are you Protected?
Cyber Risk in Healthcare Industry- Are you Protected?
Mark Merrill
 
lauren_rosen_compliance_article
lauren_rosen_compliance_articlelauren_rosen_compliance_article
lauren_rosen_compliance_articleLauren Rosen
 
Complying with Singapore Personal Data Protection Act - A Practical Guide
Complying with Singapore Personal Data Protection Act - A Practical GuideComplying with Singapore Personal Data Protection Act - A Practical Guide
Complying with Singapore Personal Data Protection Act - A Practical Guide
Daniel Li
 
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
David Kearney
 
An Overview of HIPAA Laws and Regulations.pdf
An Overview of HIPAA Laws and Regulations.pdfAn Overview of HIPAA Laws and Regulations.pdf
An Overview of HIPAA Laws and Regulations.pdf
SeasiaInfotech2
 
Understanding the Importance of HIPAA Compliance in Medical Billing Software.pdf
Understanding the Importance of HIPAA Compliance in Medical Billing Software.pdfUnderstanding the Importance of HIPAA Compliance in Medical Billing Software.pdf
Understanding the Importance of HIPAA Compliance in Medical Billing Software.pdf
OmniMD Healthcare
 
Mha 690 presentation hippa
Mha 690 presentation hippaMha 690 presentation hippa
Mha 690 presentation hippa
belle0508
 

More Related Content

What's hot

Hipaa checklist for healthcare software
Hipaa checklist for healthcare softwareHipaa checklist for healthcare software
Hipaa checklist for healthcare software
Concetto Labs
 
Dental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business AssociatesDental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business Associates
gppcpa
 
Assessing Your Hosting Environment for HIPAA Compliance
Assessing Your Hosting Environment for HIPAA ComplianceAssessing Your Hosting Environment for HIPAA Compliance
Assessing Your Hosting Environment for HIPAA Compliance
Hostway|HOSTING
 
Information governance
Information governanceInformation governance
Information governance
Gerardo Medina
 
HIPAA 101 for Startups
HIPAA 101 for StartupsHIPAA 101 for Startups
HIPAA 101 for Startups
Obaa, Inc.
 
HIPAA Security 2019
HIPAA Security 2019HIPAA Security 2019
HIPAA Security 2019
Jose Ivan Delgado, Ph.D.
 
Information Governance – What Does a Modern Program Look Like?
Information Governance – What Does a Modern Program Look Like?Information Governance – What Does a Modern Program Look Like?
Information Governance – What Does a Modern Program Look Like?
Winston & Strawn LLP
 
Avior Healthcare Security Compliance Webcast Final1
Avior Healthcare Security Compliance Webcast Final1Avior Healthcare Security Compliance Webcast Final1
Avior Healthcare Security Compliance Webcast Final1
jhietala
 
SME- Developing an information governance strategy 2016
SME- Developing an information governance strategy 2016 SME- Developing an information governance strategy 2016
SME- Developing an information governance strategy 2016
Hybrid Cloud
 
Igs animation s;lide
Igs animation s;lideIgs animation s;lide
Igs animation s;lideRecommind
 
HIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule PlaybookHIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule Playbook
Elizabeth Dimit
 
Information Governance
Information GovernanceInformation Governance
Information Governance
Lorne Rogers, ECM-M, PMP [Open Networker]
 
Managing Privacy Risk and Promoting Ethical Culture in the Digital Age
Managing Privacy Risk and Promoting Ethical Culture in the Digital AgeManaging Privacy Risk and Promoting Ethical Culture in the Digital Age
Managing Privacy Risk and Promoting Ethical Culture in the Digital Age
Perficient, Inc.
 
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudPerspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudCheryl Goldberg
 
Updated Healthcare Industry Compliance Presentation
Updated Healthcare Industry Compliance PresentationUpdated Healthcare Industry Compliance Presentation
Updated Healthcare Industry Compliance Presentation
Thomas Bronack
 
Cyber Risk in Healthcare Industry- Are you Protected?
Cyber Risk in Healthcare Industry- Are you Protected? Cyber Risk in Healthcare Industry- Are you Protected?
Cyber Risk in Healthcare Industry- Are you Protected?
Mark Merrill
 
lauren_rosen_compliance_article
lauren_rosen_compliance_articlelauren_rosen_compliance_article
lauren_rosen_compliance_articleLauren Rosen
 
Complying with Singapore Personal Data Protection Act - A Practical Guide
Complying with Singapore Personal Data Protection Act - A Practical GuideComplying with Singapore Personal Data Protection Act - A Practical Guide
Complying with Singapore Personal Data Protection Act - A Practical Guide
Daniel Li
 
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
David Kearney
 

What's hot (19)

Hipaa checklist for healthcare software
Hipaa checklist for healthcare softwareHipaa checklist for healthcare software
Hipaa checklist for healthcare software
 
Dental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business AssociatesDental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business Associates
 
Assessing Your Hosting Environment for HIPAA Compliance
Assessing Your Hosting Environment for HIPAA ComplianceAssessing Your Hosting Environment for HIPAA Compliance
Assessing Your Hosting Environment for HIPAA Compliance
 
Information governance
Information governanceInformation governance
Information governance
 
HIPAA 101 for Startups
HIPAA 101 for StartupsHIPAA 101 for Startups
HIPAA 101 for Startups
 
HIPAA Security 2019
HIPAA Security 2019HIPAA Security 2019
HIPAA Security 2019
 
Information Governance – What Does a Modern Program Look Like?
Information Governance – What Does a Modern Program Look Like?Information Governance – What Does a Modern Program Look Like?
Information Governance – What Does a Modern Program Look Like?
 
Avior Healthcare Security Compliance Webcast Final1
Avior Healthcare Security Compliance Webcast Final1Avior Healthcare Security Compliance Webcast Final1
Avior Healthcare Security Compliance Webcast Final1
 
SME- Developing an information governance strategy 2016
SME- Developing an information governance strategy 2016 SME- Developing an information governance strategy 2016
SME- Developing an information governance strategy 2016
 
Igs animation s;lide
Igs animation s;lideIgs animation s;lide
Igs animation s;lide
 
HIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule PlaybookHIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule Playbook
 
Information Governance
Information GovernanceInformation Governance
Information Governance
 
Managing Privacy Risk and Promoting Ethical Culture in the Digital Age
Managing Privacy Risk and Promoting Ethical Culture in the Digital AgeManaging Privacy Risk and Promoting Ethical Culture in the Digital Age
Managing Privacy Risk and Promoting Ethical Culture in the Digital Age
 
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudPerspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
 
Updated Healthcare Industry Compliance Presentation
Updated Healthcare Industry Compliance PresentationUpdated Healthcare Industry Compliance Presentation
Updated Healthcare Industry Compliance Presentation
 
Cyber Risk in Healthcare Industry- Are you Protected?
Cyber Risk in Healthcare Industry- Are you Protected? Cyber Risk in Healthcare Industry- Are you Protected?
Cyber Risk in Healthcare Industry- Are you Protected?
 
lauren_rosen_compliance_article
lauren_rosen_compliance_articlelauren_rosen_compliance_article
lauren_rosen_compliance_article
 
Complying with Singapore Personal Data Protection Act - A Practical Guide
Complying with Singapore Personal Data Protection Act - A Practical GuideComplying with Singapore Personal Data Protection Act - A Practical Guide
Complying with Singapore Personal Data Protection Act - A Practical Guide
 
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
 

Similar to how to really implement hipaa presentation

An Overview of HIPAA Laws and Regulations.pdf
An Overview of HIPAA Laws and Regulations.pdfAn Overview of HIPAA Laws and Regulations.pdf
An Overview of HIPAA Laws and Regulations.pdf
SeasiaInfotech2
 
Understanding the Importance of HIPAA Compliance in Medical Billing Software.pdf
Understanding the Importance of HIPAA Compliance in Medical Billing Software.pdfUnderstanding the Importance of HIPAA Compliance in Medical Billing Software.pdf
Understanding the Importance of HIPAA Compliance in Medical Billing Software.pdf
OmniMD Healthcare
 
Mha 690 presentation hippa
Mha 690 presentation hippaMha 690 presentation hippa
Mha 690 presentation hippa
belle0508
 
HIPAA-Compliant App Development Guide for the Healthcare Industry.pdf
HIPAA-Compliant App Development Guide for the Healthcare Industry.pdfHIPAA-Compliant App Development Guide for the Healthcare Industry.pdf
HIPAA-Compliant App Development Guide for the Healthcare Industry.pdf
SuccessiveDigital
 
What is HIPAA Compliance?
What is HIPAA Compliance?What is HIPAA Compliance?
What is HIPAA Compliance?
Power Admin LLC
 
Constructing a HIPAA-compliant healthcare app from scratch
Constructing a HIPAA-compliant healthcare app from scratch Constructing a HIPAA-compliant healthcare app from scratch
Constructing a HIPAA-compliant healthcare app from scratch
Techugo
 
Hi paa and eh rs
Hi paa and eh rsHi paa and eh rs
Hi paa and eh rssupportc2go
 
Does your Mobile App require HIPAA Compliance.pdf
Does your Mobile App require HIPAA Compliance.pdfDoes your Mobile App require HIPAA Compliance.pdf
Does your Mobile App require HIPAA Compliance.pdf
Shelly Megan
 
Explaining the HIPAA Privacy[.docx
Explaining the HIPAA Privacy[.docxExplaining the HIPAA Privacy[.docx
Explaining the HIPAA Privacy[.docx
VistaInfosec
 
How to Ensure HIPPA Compliance
How to Ensure HIPPA ComplianceHow to Ensure HIPPA Compliance
How to Ensure HIPPA Compliance
Hanna Global
 
Privacy and Security What types of health care data are protected u.pdf
Privacy and Security What types of health care data are protected u.pdfPrivacy and Security What types of health care data are protected u.pdf
Privacy and Security What types of health care data are protected u.pdf
badshetoms
 
Hipaa audits and enforcement
Hipaa audits and enforcementHipaa audits and enforcement
Hipaa audits and enforcementsupportc2go
 
Understanding HIPAA
Understanding HIPAAUnderstanding HIPAA
Understanding HIPAA
Manas Deep
 
HIPAA Presentation
HIPAA PresentationHIPAA Presentation
HIPAA Presentation
LyubovKarnaukh
 
Marc etienne week1 discussion2 presentation
Marc etienne week1 discussion2 presentationMarc etienne week1 discussion2 presentation
Marc etienne week1 discussion2 presentation
MarcEtienne6
 
Keeping Your Business HIPAA-Compliant
Keeping Your Business HIPAA-CompliantKeeping Your Business HIPAA-Compliant
Keeping Your Business HIPAA-Compliant
Carbonite
 
A brief introduction to hipaa compliance
A brief introduction to hipaa complianceA brief introduction to hipaa compliance
A brief introduction to hipaa compliance
Prince George
 
eBusinessinHealthcare_Final
eBusinessinHealthcare_FinaleBusinessinHealthcare_Final
eBusinessinHealthcare_FinalHeather Tomlin
 
health insurance portability and accountability act.pptx
health insurance portability and accountability act.pptxhealth insurance portability and accountability act.pptx
health insurance portability and accountability act.pptx
amartya2087
 

Similar to how to really implement hipaa presentation (20)

An Overview of HIPAA Laws and Regulations.pdf
An Overview of HIPAA Laws and Regulations.pdfAn Overview of HIPAA Laws and Regulations.pdf
An Overview of HIPAA Laws and Regulations.pdf
 
Understanding the Importance of HIPAA Compliance in Medical Billing Software.pdf
Understanding the Importance of HIPAA Compliance in Medical Billing Software.pdfUnderstanding the Importance of HIPAA Compliance in Medical Billing Software.pdf
Understanding the Importance of HIPAA Compliance in Medical Billing Software.pdf
 
Mha 690 presentation hippa
Mha 690 presentation hippaMha 690 presentation hippa
Mha 690 presentation hippa
 
HIPAA-Compliant App Development Guide for the Healthcare Industry.pdf
HIPAA-Compliant App Development Guide for the Healthcare Industry.pdfHIPAA-Compliant App Development Guide for the Healthcare Industry.pdf
HIPAA-Compliant App Development Guide for the Healthcare Industry.pdf
 
What is HIPAA Compliance?
What is HIPAA Compliance?What is HIPAA Compliance?
What is HIPAA Compliance?
 
Constructing a HIPAA-compliant healthcare app from scratch
Constructing a HIPAA-compliant healthcare app from scratch Constructing a HIPAA-compliant healthcare app from scratch
Constructing a HIPAA-compliant healthcare app from scratch
 
Hi paa and eh rs
Hi paa and eh rsHi paa and eh rs
Hi paa and eh rs
 
web-MINImag
web-MINImagweb-MINImag
web-MINImag
 
Does your Mobile App require HIPAA Compliance.pdf
Does your Mobile App require HIPAA Compliance.pdfDoes your Mobile App require HIPAA Compliance.pdf
Does your Mobile App require HIPAA Compliance.pdf
 
Explaining the HIPAA Privacy[.docx
Explaining the HIPAA Privacy[.docxExplaining the HIPAA Privacy[.docx
Explaining the HIPAA Privacy[.docx
 
How to Ensure HIPPA Compliance
How to Ensure HIPPA ComplianceHow to Ensure HIPPA Compliance
How to Ensure HIPPA Compliance
 
Privacy and Security What types of health care data are protected u.pdf
Privacy and Security What types of health care data are protected u.pdfPrivacy and Security What types of health care data are protected u.pdf
Privacy and Security What types of health care data are protected u.pdf
 
Hipaa audits and enforcement
Hipaa audits and enforcementHipaa audits and enforcement
Hipaa audits and enforcement
 
Understanding HIPAA
Understanding HIPAAUnderstanding HIPAA
Understanding HIPAA
 
HIPAA Presentation
HIPAA PresentationHIPAA Presentation
HIPAA Presentation
 
Marc etienne week1 discussion2 presentation
Marc etienne week1 discussion2 presentationMarc etienne week1 discussion2 presentation
Marc etienne week1 discussion2 presentation
 
Keeping Your Business HIPAA-Compliant
Keeping Your Business HIPAA-CompliantKeeping Your Business HIPAA-Compliant
Keeping Your Business HIPAA-Compliant
 
A brief introduction to hipaa compliance
A brief introduction to hipaa complianceA brief introduction to hipaa compliance
A brief introduction to hipaa compliance
 
eBusinessinHealthcare_Final
eBusinessinHealthcare_FinaleBusinessinHealthcare_Final
eBusinessinHealthcare_Final
 
health insurance portability and accountability act.pptx
health insurance portability and accountability act.pptxhealth insurance portability and accountability act.pptx
health insurance portability and accountability act.pptx
 

Recently uploaded

GURGAON Call Girls ❤8901183002❤ #ℂALL# #gIRLS# In GURGAON ₹,2500 Cash Payment...
GURGAON Call Girls ❤8901183002❤ #ℂALL# #gIRLS# In GURGAON ₹,2500 Cash Payment...GURGAON Call Girls ❤8901183002❤ #ℂALL# #gIRLS# In GURGAON ₹,2500 Cash Payment...
GURGAON Call Girls ❤8901183002❤ #ℂALL# #gIRLS# In GURGAON ₹,2500 Cash Payment...
ranishasharma67
 
ventilator, child on ventilator, newborn
ventilator, child on ventilator, newbornventilator, child on ventilator, newborn
ventilator, child on ventilator, newborn
Pooja Rani
 
the IUA Administrative Board and General Assembly meeting
the IUA Administrative Board and General Assembly meetingthe IUA Administrative Board and General Assembly meeting
the IUA Administrative Board and General Assembly meeting
ssuser787e5c1
 
CHAPTER 1 SEMESTER V - ROLE OF PEADIATRIC NURSE.pdf
CHAPTER 1 SEMESTER V - ROLE OF PEADIATRIC NURSE.pdfCHAPTER 1 SEMESTER V - ROLE OF PEADIATRIC NURSE.pdf
CHAPTER 1 SEMESTER V - ROLE OF PEADIATRIC NURSE.pdf
Sachin Sharma
 
VVIP Dehradun Girls 9719300533 Heat-bake { Dehradun } Genteel ℂall Serviℂe By...
VVIP Dehradun Girls 9719300533 Heat-bake { Dehradun } Genteel ℂall Serviℂe By...VVIP Dehradun Girls 9719300533 Heat-bake { Dehradun } Genteel ℂall Serviℂe By...
VVIP Dehradun Girls 9719300533 Heat-bake { Dehradun } Genteel ℂall Serviℂe By...
rajkumar669520
 
Neuro Saphirex Cranial Brochure
Neuro Saphirex Cranial BrochureNeuro Saphirex Cranial Brochure
Neuro Saphirex Cranial Brochure
RXOOM Healthcare Pvt. Ltd. ​
 
India Clinical Trials Market: Industry Size and Growth Trends [2030] Analyzed...
India Clinical Trials Market: Industry Size and Growth Trends [2030] Analyzed...India Clinical Trials Market: Industry Size and Growth Trends [2030] Analyzed...
India Clinical Trials Market: Industry Size and Growth Trends [2030] Analyzed...
Kumar Satyam
 
Myopia Management & Control Strategies.pptx
Myopia Management & Control Strategies.pptxMyopia Management & Control Strategies.pptx
Myopia Management & Control Strategies.pptx
RitonDeb1
 
.Metabolic.disordersYYSSSFFSSSSSSSSSSDDD
.Metabolic.disordersYYSSSFFSSSSSSSSSSDDD.Metabolic.disordersYYSSSFFSSSSSSSSSSDDD
.Metabolic.disordersYYSSSFFSSSSSSSSSSDDD
samahesh1
 
CANCER CANCER CANCER CANCER CANCER CANCER
CANCER CANCER CANCER CANCER CANCER CANCERCANCER CANCER CANCER CANCER CANCER CANCER
CANCER CANCER CANCER CANCER CANCER CANCER
KRISTELLEGAMBOA2
 
GLOBAL WARMING BY PRIYA BHOJWANI @..pptx
GLOBAL WARMING BY PRIYA BHOJWANI @..pptxGLOBAL WARMING BY PRIYA BHOJWANI @..pptx
GLOBAL WARMING BY PRIYA BHOJWANI @..pptx
priyabhojwani1200
 
CONSTRUCTION OF TEST IN MANAGEMENT .docx
CONSTRUCTION OF TEST IN MANAGEMENT .docxCONSTRUCTION OF TEST IN MANAGEMENT .docx
CONSTRUCTION OF TEST IN MANAGEMENT .docx
PGIMS Rohtak
 
💘Ludhiana ℂall Girls 📞]][89011★83002][[ 📱 ❤ESCORTS service in Ludhiana💃💦Ludhi...
💘Ludhiana ℂall Girls 📞]][89011★83002][[ 📱 ❤ESCORTS service in Ludhiana💃💦Ludhi...💘Ludhiana ℂall Girls 📞]][89011★83002][[ 📱 ❤ESCORTS service in Ludhiana💃💦Ludhi...
💘Ludhiana ℂall Girls 📞]][89011★83002][[ 📱 ❤ESCORTS service in Ludhiana💃💦Ludhi...
ranishasharma67
 
Global launch of the Healthy Ageing and Prevention Index 2nd wave – alongside...
Global launch of the Healthy Ageing and Prevention Index 2nd wave – alongside...Global launch of the Healthy Ageing and Prevention Index 2nd wave – alongside...
Global launch of the Healthy Ageing and Prevention Index 2nd wave – alongside...
ILC- UK
 
BOWEL ELIMINATION BY ANUSHRI SRIVASTAVA.pptx
BOWEL ELIMINATION BY ANUSHRI SRIVASTAVA.pptxBOWEL ELIMINATION BY ANUSHRI SRIVASTAVA.pptx
BOWEL ELIMINATION BY ANUSHRI SRIVASTAVA.pptx
AnushriSrivastav
 
Nursing Care of Client With Acute And Chronic Renal Failure.ppt
Nursing Care of Client With Acute And Chronic Renal Failure.pptNursing Care of Client With Acute And Chronic Renal Failure.ppt
Nursing Care of Client With Acute And Chronic Renal Failure.ppt
Rommel Luis III Israel
 
Surgery-Mini-OSCE-All-Past-Years-Questions-Modified.
Surgery-Mini-OSCE-All-Past-Years-Questions-Modified.Surgery-Mini-OSCE-All-Past-Years-Questions-Modified.
Surgery-Mini-OSCE-All-Past-Years-Questions-Modified.
preciousstephanie75
 
POLYCYSTIC OVARIAN SYNDROME (PCOS)......
POLYCYSTIC OVARIAN SYNDROME (PCOS)......POLYCYSTIC OVARIAN SYNDROME (PCOS)......
POLYCYSTIC OVARIAN SYNDROME (PCOS)......
Ameena Kadar
 
Essential Metrics for Palliative Care Management
Essential Metrics for Palliative Care ManagementEssential Metrics for Palliative Care Management
Essential Metrics for Palliative Care Management
Care Coordinations
 
How many patients does case series should have In comparison to case reports.pdf
How many patients does case series should have In comparison to case reports.pdfHow many patients does case series should have In comparison to case reports.pdf
How many patients does case series should have In comparison to case reports.pdf
pubrica101
 

Recently uploaded (20)

GURGAON Call Girls ❤8901183002❤ #ℂALL# #gIRLS# In GURGAON ₹,2500 Cash Payment...
GURGAON Call Girls ❤8901183002❤ #ℂALL# #gIRLS# In GURGAON ₹,2500 Cash Payment...GURGAON Call Girls ❤8901183002❤ #ℂALL# #gIRLS# In GURGAON ₹,2500 Cash Payment...
GURGAON Call Girls ❤8901183002❤ #ℂALL# #gIRLS# In GURGAON ₹,2500 Cash Payment...
 
ventilator, child on ventilator, newborn
ventilator, child on ventilator, newbornventilator, child on ventilator, newborn
ventilator, child on ventilator, newborn
 
the IUA Administrative Board and General Assembly meeting
the IUA Administrative Board and General Assembly meetingthe IUA Administrative Board and General Assembly meeting
the IUA Administrative Board and General Assembly meeting
 
CHAPTER 1 SEMESTER V - ROLE OF PEADIATRIC NURSE.pdf
CHAPTER 1 SEMESTER V - ROLE OF PEADIATRIC NURSE.pdfCHAPTER 1 SEMESTER V - ROLE OF PEADIATRIC NURSE.pdf
CHAPTER 1 SEMESTER V - ROLE OF PEADIATRIC NURSE.pdf
 
VVIP Dehradun Girls 9719300533 Heat-bake { Dehradun } Genteel ℂall Serviℂe By...
VVIP Dehradun Girls 9719300533 Heat-bake { Dehradun } Genteel ℂall Serviℂe By...VVIP Dehradun Girls 9719300533 Heat-bake { Dehradun } Genteel ℂall Serviℂe By...
VVIP Dehradun Girls 9719300533 Heat-bake { Dehradun } Genteel ℂall Serviℂe By...
 
Neuro Saphirex Cranial Brochure
Neuro Saphirex Cranial BrochureNeuro Saphirex Cranial Brochure
Neuro Saphirex Cranial Brochure
 
India Clinical Trials Market: Industry Size and Growth Trends [2030] Analyzed...
India Clinical Trials Market: Industry Size and Growth Trends [2030] Analyzed...India Clinical Trials Market: Industry Size and Growth Trends [2030] Analyzed...
India Clinical Trials Market: Industry Size and Growth Trends [2030] Analyzed...
 
Myopia Management & Control Strategies.pptx
Myopia Management & Control Strategies.pptxMyopia Management & Control Strategies.pptx
Myopia Management & Control Strategies.pptx
 
.Metabolic.disordersYYSSSFFSSSSSSSSSSDDD
.Metabolic.disordersYYSSSFFSSSSSSSSSSDDD.Metabolic.disordersYYSSSFFSSSSSSSSSSDDD
.Metabolic.disordersYYSSSFFSSSSSSSSSSDDD
 
CANCER CANCER CANCER CANCER CANCER CANCER
CANCER CANCER CANCER CANCER CANCER CANCERCANCER CANCER CANCER CANCER CANCER CANCER
CANCER CANCER CANCER CANCER CANCER CANCER
 
GLOBAL WARMING BY PRIYA BHOJWANI @..pptx
GLOBAL WARMING BY PRIYA BHOJWANI @..pptxGLOBAL WARMING BY PRIYA BHOJWANI @..pptx
GLOBAL WARMING BY PRIYA BHOJWANI @..pptx
 
CONSTRUCTION OF TEST IN MANAGEMENT .docx
CONSTRUCTION OF TEST IN MANAGEMENT .docxCONSTRUCTION OF TEST IN MANAGEMENT .docx
CONSTRUCTION OF TEST IN MANAGEMENT .docx
 
💘Ludhiana ℂall Girls 📞]][89011★83002][[ 📱 ❤ESCORTS service in Ludhiana💃💦Ludhi...
💘Ludhiana ℂall Girls 📞]][89011★83002][[ 📱 ❤ESCORTS service in Ludhiana💃💦Ludhi...💘Ludhiana ℂall Girls 📞]][89011★83002][[ 📱 ❤ESCORTS service in Ludhiana💃💦Ludhi...
💘Ludhiana ℂall Girls 📞]][89011★83002][[ 📱 ❤ESCORTS service in Ludhiana💃💦Ludhi...
 
Global launch of the Healthy Ageing and Prevention Index 2nd wave – alongside...
Global launch of the Healthy Ageing and Prevention Index 2nd wave – alongside...Global launch of the Healthy Ageing and Prevention Index 2nd wave – alongside...
Global launch of the Healthy Ageing and Prevention Index 2nd wave – alongside...
 
BOWEL ELIMINATION BY ANUSHRI SRIVASTAVA.pptx
BOWEL ELIMINATION BY ANUSHRI SRIVASTAVA.pptxBOWEL ELIMINATION BY ANUSHRI SRIVASTAVA.pptx
BOWEL ELIMINATION BY ANUSHRI SRIVASTAVA.pptx
 
Nursing Care of Client With Acute And Chronic Renal Failure.ppt
Nursing Care of Client With Acute And Chronic Renal Failure.pptNursing Care of Client With Acute And Chronic Renal Failure.ppt
Nursing Care of Client With Acute And Chronic Renal Failure.ppt
 
Surgery-Mini-OSCE-All-Past-Years-Questions-Modified.
Surgery-Mini-OSCE-All-Past-Years-Questions-Modified.Surgery-Mini-OSCE-All-Past-Years-Questions-Modified.
Surgery-Mini-OSCE-All-Past-Years-Questions-Modified.
 
POLYCYSTIC OVARIAN SYNDROME (PCOS)......
POLYCYSTIC OVARIAN SYNDROME (PCOS)......POLYCYSTIC OVARIAN SYNDROME (PCOS)......
POLYCYSTIC OVARIAN SYNDROME (PCOS)......
 
Essential Metrics for Palliative Care Management
Essential Metrics for Palliative Care ManagementEssential Metrics for Palliative Care Management
Essential Metrics for Palliative Care Management
 
How many patients does case series should have In comparison to case reports.pdf
How many patients does case series should have In comparison to case reports.pdfHow many patients does case series should have In comparison to case reports.pdf
How many patients does case series should have In comparison to case reports.pdf
 

how to really implement hipaa presentation

  • 1. HOW TO REALLY IMPLEMENT HIPAA Presented by: Melissa Skaggs Provider Resources Group
  • 2. WHAT IS HIPAA  The Health Insurance Portability and Accountability Act of 1996 (HIPAA; Pub.L. 104–191, 110 Stat. 1936, enacted August 21, 1996) was enacted by the United States Congress and signed by President Bill Clinton in 1996. It has been known as the Kennedy-Kassebaum Act after two of its leading sponsors. Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers.  This act gives the right to privacy to individuals from age 12 through 18. The provider must have a signed disclosure from the affected before giving out any information on provided health care to anyone, including parents.  The administrative simplification provisions also address the security and privacy of health data. The standards are meant to improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in the U.S. health care system. www.wikipedia.com
  • 3.
  • 4.
  • 5. WHO IS IMPACTED? DO I NEED TO CARE? Health care providers – A provider of medical, psychiatric, or other health services, and any other person or entity furnishing health care services or supplies. Health plans – an individual or group health plan that provides or pays the cost of medical care. Clearinghouses – A public or private entity that processes or facilitates the processing of non-standard data elements of health information into standard data elements and who transmits any health information in electronic form in connection with a transaction covered in the legislation. Business Associates and Trading Partners
  • 6. WHAT IS PROTECTED HEALTH INFORMATION A person’s name, address, birth date, age, phone and fax numbers, e-mail address Medical records, diagnosis, x-rays, photos, prescriptions, lab work, test results Billing records, claim data, referral authorizations, explanation of benefits Research records Past, Present or Future condition or payment
  • 7. Covered Entity (CE) Any business entity that must comply with HIPAA regulations, which includes health- care providers, health plans and health-care clearinghouses. For purposes of HIPAA, health-care providers include hospitals, physicians and other caregivers. This would include: County Boards of DD  Private Providers  Agency Providers  Therapy Providers  Nursing Providers  Behavioral Support Providers
  • 8. Business Associate (BA) A person or organization that performs a function or activity on behalf of a covered entity, but is not part of the covered entity's workforce. A business associate can also be a covered entity in its own right. This would include any VENDOR or CONTRACTOR that comes in contact with individuals or their information. Some examples…… Billing Agents IT Providers Software Providers (Intellinetics, Gatekeeper, CareTracker, Solona to name a few) Shredding Companies Contracted Service Providers COGS Housing Providers A Covered Entity must have a Business Associate Agreement on file for all vendors classified as a Business Associate
  • 9. Must establish the permitted and required uses and disclosures of protected health information by the business associate and may not authorize further disclosure in violation of the regulations If the covered entity knows of a practice or pattern of activity that constitutes a material breach of the business associate’s obligations under the contract, the covered entity must take reasonable steps to ensure cure of the breach or terminate the contract or report the problem to the Office of Civil Rights BUSINESS ASSOCIATES CONTRACTS MUST………
  • 10. BUSINESS ASSOCIATES OBLIGATIONS Must not use or disclose protected health information in violation of the law or contract. Implement safeguards against improper use or disclosure. Ensure that any agents or subcontractors agree to fulfill contractual and legal obligations. Afford individual access to records; make available records for amendment by the individual; account to the individual for use or disclosure other than for payment, treatment, or operations. At termination of the contract, return or destroy protected health information.
  • 11. What do We Need to Be Thinking About???????
  • 12. JUST GIVE ME THE POLICIES ALREADY Policies should reflect how your organization is handling the requirements of HIPAA These policies should be reviewed annually at a minimum to ensure that the policy is staying current with the organization and technology Staff MUST be trained on HIPAA policies at least annually; keeping it out in front on staff needs to be on going
  • 13. Hardware, Software and Transmission Security  Organizations should have a hardware firewall in place. Transmission of personal information should be encrypted and comply with HIPAA. Policies should cover the updating of hardware, firmware, operating systems and applications. Disaster Backup and Recovery Plans  Policies and Procedures should include a Disaster Backup and Recovery plan to ensure the business can continue operations in the event of a disaster. This includes keeping the business running, recovering lost data, testing of backup procedures and replacement of equipment. Training of Staff  Organizations should provide a training program to raise awareness of HIPAA rights. Every individual in the organization must be trained on a regular basis. Training should be provided to include employee awareness, password safeguarding and changing, workstation access, software use, virus and malware information and other mission critical operations. Record and Information Access  Policies should define roles on who can have what access to programs and information. These policies should further define the roles in information technology of the IT personnel who have the rights to modify the access.
  • 14. Some things to think about with Data Security Secure Email System - Encryption Secure File Transfer Secure Website for Data transfer (if applicable) Do we have a written Disaster Backup and Recovery Plan Where is it Who’s in charge of the plan Have you tested your plan Do you provide HIPAA training to all new staff and ongoing refresher trainings (so it’s always kept out in front of staff)…do you test your staff Who has access to staff and consumer information Secure passwords(complex, set change schedule) Systems set up so a user can access only needed information Files saved with Password Protection
  • 15. DO YOU AUDIT YOUR HIPAA PROCESS An audit process should be in place for your HIPAA process. It should include Hardware Software Data Controls Department of Health and Human Services requires the Office of Civil Rights (OCR) to audit covered entities and business associates compliance with HIPAA Privacy, Security and Breach Notification Rules (See Audit Program Protocol)Organizations responsible for HIPAA-covered data now face one-in-20 odds of facing a HIPAA audit
  • 16. SHREDDING PAPER THE HIPAA WAYIn general, examples of proper disposal methods may include, but are not limited to: • For PHI in paper records, Shredding Burning Pulping Pulverizing PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed. • Maintaining labeled prescription bottles and other PHI in opaque bags in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI. • For PHI on electronic media, clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding).
  • 17. SECURITY FOR THOSE ON THE Step 1: Assess your mobile users – Understanding your users and their use cases is the first step toward HIPAA compliance. Mobile devices are becoming increasingly common as the industry rapidly converts from paper to electronic media. Because of this, IT must now support a wide variety of ePHI, including electronic patient records, email, multiple provider health care records and clinical drug trial results. This mission is complicated by device ownership. In typical scenarios, IT supports staff using personal devices to access sensitive information. Now, in some cases—IT also issues user devices. Documenting the flow of health care information to and from users and their mobile devices is the upfront work that has to be completed before IT can develop a comprehensive security strategy for remote access of ePHI.
  • 18. Step 2: Bulletproof your security strategy Privacyrights.org reported that in 2007 46 health care data breaches occurred, involving 62 stolen or lost laptops with five million identities compromised. The publicity surrounding these breaches has motivated many IT organizations to develop a strategy to secure their laptops with data encryption and password protection. Unfortunately, the same cannot be said for handheld devices. What organizations may miss is that rapidly evolving smartphones and PDAs are quickly becoming the everyday PC, with multiple modes of communication, significant processing power and large storage capabilities. This by itself makes today's mobile devices subject to the same risks as laptops. However, handheld mobile devices have several characteristics that make them even more vulnerable than laptops. Their small size makes them substantially more likely to be lost or stolen, and their low cost enables users to easily replace them if lost. Unlike IT-issued laptops, users do not have a compelling reason to report a data breach if they can easily replace the device for a low cost.
  • 19. Step 3: Build your security solution Unfortunately, the CMS guidance creates multiple technical challenges for IT departments including endpoint security, network access control and user compliance. So what should IT look for in a solution? Laptop support is a must, but ultimately full HIPAA compliance also requires robust support across a diverse set of handheld mobile devices, use cases and ownership scenarios. The ideal system must include:  A self-service portal to allow end-users to load security software and policies on personal devices.  A flexible device agent that enables IT to secure and manage a wide variety of device platforms for phones and tablets.  Policy-controlled security that protects against hacker access and device loss.  A centralized management console with integrated help desk capabilities to simplify policy implementation and user support.  A compliance management and reporting facility to ensure users adhere to IT policy
  • 20. Step 4: Enforce your policies An organization's HIPAA security policies are only effective if users comply with them — so make sure that your mobile device security policies are understood, by all users and enforced. OCR will be looking to ensure that policies were followed if there is a data breach. Policies need to be enforced with no respect to person/position.
  • 21. Step 5: Go public Advertise your efforts in HIPAA compliance Marketing Material Website County and State agencies Individuals and Families served
  • 22. SO WHAT ARE THEY REALLY LOOKING FOR  Employee training and review  Vigilant implementation of policies and procedures  Regular internal audits  Prompt action plan to respond to incidents  Risk analysis and ongoing risk management (Security Rule) OCR Presentation February 2014
  • 23. SCAN…..ITS A BIG DEAL One sure fire way of protecting yourself in a disaster, audits or HIPAA is to scan documents Lots of options out there for scanning and Protecting the information Any IMPORTANT paper that cannot be recreated needs to be scanned Some are here at the conference…check them out
  • 25. REAL LIFE VIOLATIONS Initial early penalties for HIPAA violations were described as a "joke," with most enterprises unmoved by the risk of paying out potential settlements. However, the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act in February 2009 completely changed this attitude, with HIPAA penalties now reaching millions of dollars. Cases in point: Cignet's $4.3 million fine in 2011 for denying patients access to medical records $1.5 million fine to Massachusetts Eye and Ear Infirmary for a data compromise involving a lost laptop. http://www.hhs.gov/ocr/privacy/hipaa/administrat ive/breachnotificationrule/breachtool.html
  • 26. HIPAA COMPLIANCE/ENFORCEMENT (AS OF DECEMBER 31, 2012) TOTAL (since 2003) Complaints Filed 77,200 Cases Investigated 27,500 Cases with Corrective Action 18,600 Civil Monetary Penalties & Resolution Agreements (since 2008) $14.9 million Information from OCR Presentation to Tech Alliance February 2014
  • 27. Theft – Unauthorize d Access or Disclosure Loss – Hacking Imprope r Disposa l Unknow n
  • 28. Location of Breach Laptop Paper Records Desktop Computer Portable Devices Network Server Other Email EMR
  • 29. ONE FINAL THOUGHT FROM OCR OCR Investigator – Wandah Hardy

Editor's Notes

  1. Title I: Health Care Access, Portability, and Renewability[edit]Title I of HIPAA regulates the availability and breadth of group health plans and certain individual health insurance policies. It amended the Employee Retirement Income Security Act, the Public Health Service Act, and the Internal Revenue Code.Title I also limits restrictions that a group health plan can place on benefits for preexisting conditions. Group health plans may refuse to provide benefits relating to preexisting conditions for a period of 12 months after enrollment in the plan or 18 months in the case of late enrollment.[5] However, individuals may reduce this exclusion period if they had group health plan coverage or health insurance prior to enrolling in the plan. Title I allows individuals to reduce the exclusion period by the amount of time that they had "creditable coverage" prior to enrolling in the plan and after any "significant breaks" in coverage.[6] "Creditable coverage" is defined quite broadly and includes nearly all group and individual health plans, Medicare, and Medicaid.[7] A "significant break" in coverage is defined as any 63 day period without any creditable coverage.[8]Some health care plans are exempted from Title I requirements, such as long-term health plans and limited-scope plans such as dental or vision plans that are offered separately from the general health plan. However, if such benefits are part of the general health plan, then HIPAA still applies to such benefits. For example, if the new plan offers dental benefits, then it must count creditable continuous coverage under the old health plan towards any of its exclusion periods for dental benefits.An alternate method of calculating creditable continuous coverage is available to the health plan under Title I. That is, 5 categories of health coverage can be considered separately, including dental and vision coverage. Anything not under those 5 categories must use the general calculation (e.g., the beneficiary may be counted with 18 months of general coverage, but only 6 months of dental coverage, because the beneficiary did not have a general health plan that covered dental until 6 months prior to the application date). Since limited-coverage plans are exempt from HIPAA requirements, the odd case exists in which the applicant to a general group health plan cannot obtain certificates of creditable continuous coverage for independent limited-scope plans such as dental to apply towards exclusion periods of the new plan that does include those coverages.Hidden exclusion periods are not valid under Title I (e.g., "The accident, to be covered, must have occurred while the beneficiary was covered under this exact same health insurance contract"). Such clauses must not be acted upon by the health plan and also must be re-written so that they comply with HIPAA.To illustrate, suppose someone enrolls in a group health plan on January 1, 2006. This person had previously been insured from January 1, 2004 until February 1, 2005 and from August 1, 2005 until December 31, 2005. To determine how much coverage can be credited against the exclusion period in the new plan, start at the enrollment date and count backwards until a significant break in coverage is reached. So, the five months of coverage between August 1, 2005 and December 31, 2005 clearly counts against the exclusion period. But the period without insurance between February 1, 2005 and August 1, 2005 is greater than 63 days. Thus, this is a significant break in coverage, and any coverage prior to it cannot be deducted from the exclusion period. So, this person could deduct five months from his exclusion period, reducing the exclusion period to seven months. Hence, Title I requires that any preexisting condition begin to be covered on August 1, 2006.Title II: Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform[edit]This section needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. (April 2010) Title II of HIPAA defines policies, procedures and guidelines for maintaining the privacy and security of individually identifiable health information as well as outlining numerous offenses relating to health care and sets civil and criminal penalties for violations. It also creates several programs to control fraud and abuse within the health care system.[9][10][11] However, the most significant provisions of Title II are its Administrative Simplification rules. Title II requires the Department of Health and Human Services (HHS) to draft rules aimed at increasing the efficiency of the health care system by creating standards for the use and dissemination of health care information.These rules apply to "covered entities" as defined by HIPAA and the HHS. Covered entities include health plans, health care clearinghouses, such as billing services and community health information systems, and health care providers that transmit health care data in a way that is regulated by HIPAA.[12][13]Per the requirements of Title II, the HHS has promulgated five rules regarding Administrative Simplification: the Privacy Rule, the Transactions and Code Sets Rule, the Security Rule, the Unique Identifiers Rule, and the Enforcement Rule.Privacy Rule[edit]The effective compliance date of the Privacy Rule was April 14, 2003 with a one-year extension for certain "small plans". The HIPAA Privacy Rule regulates the use and disclosure of Protected Health Information (PHI) held by "covered entities" (generally, health care clearinghouses, employer sponsored health plans, health insurers, and medical service providers that engage in certain transactions.)[14] By regulation, the Department of Health and Human Services extended the HIPAA privacy rule to independent contractors of covered entities who fit within the definition of "business associates".[15] PHI is any information held by a covered entity which concerns health status, provision of health care, or payment for health care that can be linked to an individual.[16] This is interpreted rather broadly and includes any part of an individual's medical record or payment history. Covered entities must disclose PHI to the individual within 30 days upon request.[17] They also must disclose PHI when required to do so by law such as reporting suspected child abuse to state child welfare agencies.[18]A covered entity may disclose PHI (Protected Health Information) to facilitate treatment, payment, or health care operations without a patient's express written authorization.[19] Any other disclosures of PHI (Protected Health Information) require the covered entity to obtain written authorization from the individual for the disclosure.[20] However, when a covered entity discloses any PHI, it must make a reasonable effort to disclose only the minimum necessary information required to achieve its purpose.[21]The Privacy Rule gives individuals the right to request that a covered entity correct any inaccurate PHI.[22] It also requires covered entities to take reasonable steps to ensure the confidentiality of communications with individuals.[23] For example, an individual can ask to be called at his or her work number instead of home or cell phone numbers.The Privacy Rule requires covered entities to notify individuals of uses of their PHI. Covered entities must also keep track of disclosures of PHI and document privacy policies and procedures.[24] They must appoint a Privacy Official and a contact person[25] responsible for receiving complaints and train all members of their workforce in procedures regarding PHI.[26]An individual who believes that the Privacy Rule is not being upheld can file a complaint with the Department of Health and Human Services Office for Civil Rights (OCR).[27][28] However, according to the Wall Street Journal, the OCR has a long backlog and ignores most complaints. "Complaints of privacy violations have been piling up at the Department of Health and Human Services. Between April of 2003 and November 2006, the agency fielded 23,886 complaints related to medical-privacy rules, but it has not yet taken any enforcement actions against hospitals, doctors, insurers or anyone else for rule violations. A spokesman for the agency says it has closed three-quarters of the complaints, typically because it found no violation or after it provided informal guidance to the parties involved."[29] However, in July 2011, UCLA agreed to pay $865,500 in a settlement regarding potential HIPAA violations. An HHS Office for Civil Rights investigation showed that from 2005 to 2008 unauthorized employees repeatedly and without legitimate cause looked at the electronic protected health information of numerous UCLAHS patients.[30]2013 changes to Privacy Rule[edit]In January 2013, HIPAA was updated to a rule that is often referred to as Omnibus Rule.[31] Protection of PHI was changed from indefinite to 50 years after death. More severe penalties were also approved for violation of PHI privacy.Unique Identifiers Rule (National Provider Identifier)[edit]HIPAA covered entities such as providers completing electronic transactions, healthcare clearinghouses, and large health plans, must use only the National Provider Identifier (NPI) to identify covered healthcare providers in standard transactions by May 23, 2007. Small health plans must use only the NPI by May 23, 2008.Effective from May 2006 (May 2007 for small health plans), all covered entities using electronic communications (e.g., physicians, hospitals, health insurance companies, and so forth) must use a single new NPI. The NPI replaces all other identifiers used by health plans, Medicare, Medicaid, and other government programs. However, the NPI does not replace a provider's DEA number, state license number, or tax identification number. The NPI is 10 digits (may be alphanumeric), with the last digit being a checksum. The NPI cannot contain any embedded intelligence; in other words, the NPI is simply a number that does not itself have any additional meaning. The NPI is unique and national, never re-used, and except for institutions, a provider usually can have only one. An institution may obtain multiple NPIs for different "subparts" such as a free-standing cancer center or rehab facility.