Skoda Minotti, profile picture
Uploaded bySkoda Minotti
896 views

HIPAA Compliance: What Medical Practices and Their Business Associates Need to Know

The document outlines HIPAA compliance requirements for medical practices and their business associates, emphasizing the importance of protecting patient health information. It details major provisions of HIPAA, such as the privacy and security rules, the role of business associates, and compliance enforcement mechanisms. Additionally, it highlights the need for comprehensive risk assessments and employee training to ensure adherence to HIPAA regulations.

Embed presentation

HIPAA Compliance: What Medical Practices & Their Business Associates Need to Know August 29, 2013
PRESENTER Brian Rosenfelt, CPA Skoda Minotti Risk Advisory Services • Former controller, CFO and operations executive in a variety of industries • Served as business process engineer with Kaiser Permanente • Leads Skoda Minotti’s HIPAA consulting practice • Deep understanding of accounting, technology and compliance
AGENDA • • • • • • • HIPAA History Definitions Major Provisions 2013 Omnibus Rules Compliance and Enforcement Risk Assessment Policies & Procedures
WHAT IS HIPAA? • HIPAA: Health Insurance Portability & Accountability Act • Signed into law in 1996 • Federal law protecting the privacy of Protected Health Information (PHI) • The overall purpose is to ensure the security and privacy of individual health information
HIPAA HITECH ACT OF 2009 Origins • Prior to 2009, HIPAA regulations were not being enforced consistently (if at all) • New act was meant to:  Strengthen controls and oversight of PHI  Improve breach notification requirements  Expand the definition of covered entities and business associates • Built on the heels of providing incentives for doctors and hospitals to implement Electronic Medical Record (EMR) systems
DEFINITIONS • Protected Health Information (PHI) • Covered Entity • Business Associate
PROTECTED HEALTH INFORMATION (PHI) What is PHI? • Oral or written information created by a healthcare provider or other entity that relates to someone’s health or condition, healthcare received, or healthcare payment • Unsecured PHI is data that is not encrypted Examples of PHI • • • • Medical information and records Billing information and records Medical insurance forms Lab results
COVERED ENTITY VS. BUSINESS ASSOCIATE Covered Entities • Health Care Provider (dentist, doctor, nursing home, pharmacy) • Health Plan (HMO, company health plan, health insurance companies) • Health Care Clearinghouse
COVERED ENTITY VS. BUSINESS ASSOCIATE Business Associates • • • • Attorneys Accountants Consultants Third Party Administrator (claims processing, etc.) • Anyone who does, or could come into contact with PHI • Others  Document shredding company  Cleaning company  Software company Business associates can be anyone with access to or potential access to health information.
MAJOR PROVISIONS • • • • • Privacy Rule Security Rule Breach Notification Rule Enforcement Rule Unique Identifiers Rule
PRIVACY RULE • Applies to use and disclosure of PHI • Reason for HIPAA language and forms you sign at your doctor’s office • Requires patient authorization for certain disclosures (release of medical information to employer, relative, etc.) • Disclosure permitted for treatment and/or payment purposes
SECURITY RULE • Applies to the securing of ePHI (electronic protected health information) • Requires implementation of three types of safeguards:  Administrative (policies and procedures)  Physical (access to server room, access to patient paper records)  Technical (email encryption, password policies, technical auditing)
BREACH NOTIFICATION RULE • Risk of Harm evaluation (old rule) • Risk Assessment and “Low Probability” (new rule) • What should the Risk Assessment look for?     Type of PHI compromised Who compromised the PHI Was the PHI actually viewed How was the breach/violation mitigated
A LONG TIME COMING … • Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted on February 17, 2009 • Proposed Regulations: July 14, 2010 • Final “Omnibus” HIPAA Regulations: January 25, 2013  Effective Date: March 26, 2013  Compliance Date: September 23, 2013 • Copy of final regulations: http://1.usa.gov/Wl60lE  138 pages
MAJOR CHANGES WITH THE NEW RULES Business Associate Liability Increased • Business Associates are now covered DIRECTLY under HIPAA (same rules and regulations as Covered Entities) • Security and privacy rules now apply to Business Associates • Information can only be used per contract language • Penalties now apply to Business Associates • Business Associates are now responsible for sub-Business Associates
BUSINESS ASSOCIATE CHANGES
KEY CHANGES DUE TO HIPAA HITECH Breach Notification Rules • Requires Covered Entities and Business Associates to provide notification following a breach of unsecured PHI • Similar breach notification rules for vendors of personal health records and their 3rd party service providers • Covered Entities must notify affected individuals within 60 calendar days of the discovery • If the breach effects more than 500 individuals, the media and Department of Health and Human Services must be notified • Business Associates are obligated to report breaches to Covered Entity
KEY CHANGES DUE TO HIPAA HITECH Business Associate Responsibilities • Must implement applicable privacy provisions • Must implement all of the HITECH security provisions • Now subject to the same civil and criminal penalties as Covered Entities • Contracts between Covered Entities and Business Associates must be amended to include new HITECH provisions
HIPAA COMPLIANCE & ENFORCEMENT Original Rule • U.S. Department of Health & Human Services regulates and enforces HIPAA through its Office of Civil Rights (OCR) • Civil penalties: Fines start at $100 and can increase up to $25,000 • Criminal penalties: Could include up to 10 years in prison and $250,000 HIPAA HITECH ACT of 2009 • State Attorneys General can also bring civil action in federal court if the interest of residents has been threatened or affected by a HIPAA violation
HIPAA COMPLIANCE & ENFORCEMENT Potential Civil Penalties Violation Category Section 1176(a)(1) Each Violation All such violations of an identical provision in a calendar year $100-$50,000 Up to $1,500,000 (B) Reasonable cause $1,000-$50,000 Up to $1,500,000 (C)(i) Willful neglect – Corrected $10,000-$50,000 Up to $1,500,000 (C)(ii) Willful neglect – Not Corrected $50,000 or more Up to $1,500,000 (A) Did not know SUMMARY: Fines are mandatory when failure to have training and reasonable procedures on proper disposal is discovered. HHS goes on to say that had they found proper training in the same case, the same incident would not have been deemed a case of willful neglect.
HIPAA COMPLIANCE & ENFORCEMENT Potential Criminal Penalties Type of Violation Potential Jail Sentence Unknowingly, or with reasonable cause Up to one year Under false pretenses Up to five years For personal gain or malicious reasons Up to ten years
HIPAA COMPLIANCE & ENFORCEMENT Consequences • October 26, 2009: (Little Rock, Arkansas) sentencing of three healthcare workers who pled guilty to misdemeanor HIPAA violations based on accessing patient records without any reason • April 27, 2010: (California) press release entitled “Ex-UCLA Healthcare Employee Sentenced to Federal Prison for Illegally Peeking at Patient Records” – first person to be convicted and imprisoned for HIPAA offenses based only on unauthorized access of PHI
HIPAA COMPLIANCE & ENFORCEMENT Consequences • January 9, 2012: Minnesota Attorney General brought action against Accretive Health, Inc. (a business associate, NOT a covered entity), in the wake of the theft of a company laptop computer that contained over 23,500 patient records • April 17, 2012: Phoenix Cardiac Surgery, P.C. agreed to pay $100,000 and take corrective action after they were found to have posted a patient appointment calendar online
HOW TO GET COMPLIANT Begin with a thorough RISK ASSESSMENT • Essential component of HIPAA compliance • Can help your organization identify its most critical areas of vulnerability • The Risk Assessment will form the basis of determining how risks should be managed and/or minimized • This is a necessary strategy to identify potential gaps in your security environment (physical and electronic) • Required by HIPAA
HOW TO GET COMPLIANT • Risk exposure decreases significantly when an organization knows where its PHI is stored and what procedures are in place to access it • A complete risk assessment examines four critical areas:     Process Governance People Technology
UPDATING POLICIES & PROCEDURES • Assess the current policies and procedures (if they exist)  Breach notification requirements  Incident management procedures  Training requirements and procedures • Prior to HITECH, Business Associates did not need to produce documentation
UPDATING POLICIES & PROCEDURES • Update documentation – address high risk areas first • A strong disciplinary policy is a necessity  Training without enforcement is of little value  Establish consequences for violation of HIPAA security policies  Take strong action against employees who violate policies and procedures (especially those that relate to security policies)
UPDATING POLICIES & PROCEDURES • Training on policies and procedures is critical  Train based on the highest risk area according to your assessment  Regular, ongoing training for the entire workforce (no exceptions) is a must  Training focus on remote access and removable media is important (movement of ePHI)
UPDATING POLICIES & PROCEDURES • Require all those with remote access or who use portable media of any type, to sign an attestation stating they:  Received the education  Agree to abide by the policies of the organization  Understand the risk to ePHI inherent in electronic use  Know the degree of discipline they face for violating the policies
UPDATING POLICIES & PROCEDURES • HIPAA requires documentation to be retained for six years • The organization must be able to show that the documentation was available to the persons responsible for implementing the procedure • A procedure is required for reviewing documentation and ensuring it remains up-todate • Evidence of employee training and an acknowledgement of policies and procedures are also required
INVOLVE EVERYONE • Interview department directors to understand their risk concerns and controls in place • Including them in the HIPAA security processes helps to ensure they will be educated and “on-board” with the controls you recommend • People are the most important component of an effective security program
QUESTIONS? For additional information about Skoda Minotti’s HIPAA consulting and compliance services, contact us at: Brian Rosenfelt, CPA Skoda Minotti Technology Partners brosenfelt@skodaminotti.com (440) 449-6800 Website: www.skodaminotti.com Other Services: • Audit • Tax • IT Consulting • Phone Systems • Marketing • Investments • Security

More Related Content

PPTX
Hipaa for business associates simple
byJose Ivan Delgado, Ph.D.
 
PPTX
HIPAA Security 2019
byJose Ivan Delgado, Ph.D.
 
PDF
Hipaa basics
byMichaelRodriguesdosS1
 
PPTX
HIPAA Access Medical Records by Sainsbury-Wong
byLorianne Sainsbury-Wong
 
PPTX
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
byeringold
 
PDF
A brief introduction to hipaa compliance
byPrince George
 
PPTX
HIPAA Audit Implementation
byValency Networks
 
PPT
HNI U: HIPAA Essentials
byHNI Risk Services
 
Hipaa for business associates simple
byJose Ivan Delgado, Ph.D.
 
HIPAA Security 2019
byJose Ivan Delgado, Ph.D.
 
Hipaa basics
byMichaelRodriguesdosS1
 
HIPAA Access Medical Records by Sainsbury-Wong
byLorianne Sainsbury-Wong
 
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
byeringold
 
A brief introduction to hipaa compliance
byPrince George
 
HIPAA Audit Implementation
byValency Networks
 
HNI U: HIPAA Essentials
byHNI Risk Services
 

What's hot

PDF
You and HIPAA - Get the Facts
byresourceone
 
PPTX
The HIPAA Security Rule: Yes, It's Your Problem
bySecurityMetrics
 
PDF
Keys To HIPAA Compliance
byCBIZ, Inc.
 
PPT
Hipaa
byteammayco
 
PDF
Cyberinsurance 111006
byJNicholson
 
PDF
HIPAA and How it Applies to You
byWinston & Strawn LLP
 
PDF
Hipaa journal com - HIPAA compliance guide
byFelipe Prado
 
PDF
HIPAA Compliance for Developers
byTrueVault
 
PPTX
Annual HIPAA Training
byCynthia Holland
 
PPT
HIPAA Compliance
byManny Oliverez
 
PPTX
UNA HIPAA Training 8-13
byUniversity of North Alabama - Academic Affairs
 
PDF
Do You Know How to Handle a HIPAA Breach?
byCompliancy Group
 
PDF
The New HIPAA: Rules and Responsibilitues
bycomplianceexpert
 
PPTX
HIPAA - Understanding the Basics of Compliance
byJay Hodes
 
PPSX
HIPAA HITECH training 7-9-12
byO2 TESTING SERVICES
 
PPTX
HIPPA Security Presentation
byRebecca Norman
 
DOCX
Hi paa and eh rs
bysupportc2go
 
PPT
What is hipaa
bydigitalpractice
 
PPTX
HIPPA-Health Insurance Portability and Accountability Act
byHarshit Trivedi
 
PPT
Hipaa101 updated
bykkurapat
 
You and HIPAA - Get the Facts
byresourceone
 
The HIPAA Security Rule: Yes, It's Your Problem
bySecurityMetrics
 
Keys To HIPAA Compliance
byCBIZ, Inc.
 
Hipaa
byteammayco
 
Cyberinsurance 111006
byJNicholson
 
HIPAA and How it Applies to You
byWinston & Strawn LLP
 
Hipaa journal com - HIPAA compliance guide
byFelipe Prado
 
HIPAA Compliance for Developers
byTrueVault
 
Annual HIPAA Training
byCynthia Holland
 
HIPAA Compliance
byManny Oliverez
 
UNA HIPAA Training 8-13
byUniversity of North Alabama - Academic Affairs
 
Do You Know How to Handle a HIPAA Breach?
byCompliancy Group
 
The New HIPAA: Rules and Responsibilitues
bycomplianceexpert
 
HIPAA - Understanding the Basics of Compliance
byJay Hodes
 
HIPAA HITECH training 7-9-12
byO2 TESTING SERVICES
 
HIPPA Security Presentation
byRebecca Norman
 
Hi paa and eh rs
bysupportc2go
 
What is hipaa
bydigitalpractice
 
HIPPA-Health Insurance Portability and Accountability Act
byHarshit Trivedi
 
Hipaa101 updated
bykkurapat
 

Similar to HIPAA Compliance: What Medical Practices and Their Business Associates Need to Know

PDF
What is HIPAA Compliance?
byPower Admin LLC
 
PPTX
HIPAA presentation GAHU v7
byJason Karn
 
PPTX
PSOW 2016 - HIPAA Compliance for EMS Community
byPSOW
 
PPTX
Health Insurance Portability and Accountability Act (HIPAA) Compliance
byControlCase
 
PDF
HIPAA HiTech Regulations: What Non-Medical Companies Need to Know
byNetwork 1 Consulting
 
PPTX
What is HIPAA and How it is important to all
byNatashaDanielleHudso
 
PPTX
HITECH-Changes-to-HIPAA
byGurvinder Singh, CISSP, CISA, ITIL v3
 
PPTX
HIPAA
byAlanoud Alqoufi
 
PPTX
Hitech changes-to-hipaa
bygeeksikh
 
PPTX
The Basics of HIPAA
byDamianKnowles1
 
PPTX
Dental Compliance for Dentists and Business Associates
bygppcpa
 
PDF
HIPAA Panel Discussion
byDan Wellisch
 
PPTX
What You Don’t Know About the HIPAA Security Rule
byCooperative of American Physicians, Inc.
 
PDF
HIPAA Security Rule application to Business Associates heats up
byDavid Sweigert
 
PPTX
Hipaa in the era of ehr mo dept hss
bylearfield
 
PPTX
The Startup Path to HIPAA Compliance
byJim Anfield
 
PPTX
how to really implement hipaa presentation
byProvider Resources Group
 
PPTX
Healthcare Compliance: HIPAA and HITRUST
byControlCase
 
PPTX
HIPAA and Privacy for Researchers
byJason Karn
 
PPTX
HIPAA Training - 2011
bydarichardson
 
What is HIPAA Compliance?
byPower Admin LLC
 
HIPAA presentation GAHU v7
byJason Karn
 
PSOW 2016 - HIPAA Compliance for EMS Community
byPSOW
 
Health Insurance Portability and Accountability Act (HIPAA) Compliance
byControlCase
 
HIPAA HiTech Regulations: What Non-Medical Companies Need to Know
byNetwork 1 Consulting
 
What is HIPAA and How it is important to all
byNatashaDanielleHudso
 
HITECH-Changes-to-HIPAA
byGurvinder Singh, CISSP, CISA, ITIL v3
 
HIPAA
byAlanoud Alqoufi
 
Hitech changes-to-hipaa
bygeeksikh
 
The Basics of HIPAA
byDamianKnowles1
 
Dental Compliance for Dentists and Business Associates
bygppcpa
 
HIPAA Panel Discussion
byDan Wellisch
 
What You Don’t Know About the HIPAA Security Rule
byCooperative of American Physicians, Inc.
 
HIPAA Security Rule application to Business Associates heats up
byDavid Sweigert
 
Hipaa in the era of ehr mo dept hss
bylearfield
 
The Startup Path to HIPAA Compliance
byJim Anfield
 
how to really implement hipaa presentation
byProvider Resources Group
 
Healthcare Compliance: HIPAA and HITRUST
byControlCase
 
HIPAA and Privacy for Researchers
byJason Karn
 
HIPAA Training - 2011
bydarichardson
 

More from Skoda Minotti

PPTX
Navigating Tomorrow's Tax Landscape - 2020
bySkoda Minotti
 
PPTX
Elevate 2019: Business Leader Slides
bySkoda Minotti
 
PPTX
Elevate 2019: Financial Professional Slides
bySkoda Minotti
 
PDF
Smart Manufacturing Workshop: An Interactive Improv Session
bySkoda Minotti
 
PDF
Managing Risk
bySkoda Minotti
 
PDF
Navigating the Tax and Accounting Implications of Cryptocurrencies
bySkoda Minotti
 
PDF
Performance and Rewards
bySkoda Minotti
 
PPTX
Non-Qualified Deferred Compensation Programs for Private Companies
bySkoda Minotti
 
PDF
ABC Presents: Interviewing Skills
bySkoda Minotti
 
PDF
Valuation Issues in Developing and Executing Buy-Sell Agreements
bySkoda Minotti
 
PDF
ABC Presents: Recruiting and Retaining Top Talent
bySkoda Minotti
 
PDF
State and Local Tax Nexus Issues and the Impact on Mergers and Acquisitions
bySkoda Minotti
 
PDF
Future-Proofing Your Business with Technology
bySkoda Minotti
 
PPTX
Manufacturing in Northeast Ohio: Where We Stand, Where We’re Headed
bySkoda Minotti
 
PPTX
Recruiting and Retaining Top Talent
bySkoda Minotti
 
PPTX
New Ohio Cybersecurity Law Requirements
bySkoda Minotti
 
PPTX
Understanding Medicare
bySkoda Minotti
 
PDF
Five Digital Marketing Trends Your Company Needs to Know in 2019
bySkoda Minotti
 
PPTX
Business Valuation Basics
bySkoda Minotti
 
PPTX
The Importance of State and Local Tax Nexus
bySkoda Minotti
 
Navigating Tomorrow's Tax Landscape - 2020
bySkoda Minotti
 
Elevate 2019: Business Leader Slides
bySkoda Minotti
 
Elevate 2019: Financial Professional Slides
bySkoda Minotti
 
Smart Manufacturing Workshop: An Interactive Improv Session
bySkoda Minotti
 
Managing Risk
bySkoda Minotti
 
Navigating the Tax and Accounting Implications of Cryptocurrencies
bySkoda Minotti
 
Performance and Rewards
bySkoda Minotti
 
Non-Qualified Deferred Compensation Programs for Private Companies
bySkoda Minotti
 
ABC Presents: Interviewing Skills
bySkoda Minotti
 
Valuation Issues in Developing and Executing Buy-Sell Agreements
bySkoda Minotti
 
ABC Presents: Recruiting and Retaining Top Talent
bySkoda Minotti
 
State and Local Tax Nexus Issues and the Impact on Mergers and Acquisitions
bySkoda Minotti
 
Future-Proofing Your Business with Technology
bySkoda Minotti
 
Manufacturing in Northeast Ohio: Where We Stand, Where We’re Headed
bySkoda Minotti
 
Recruiting and Retaining Top Talent
bySkoda Minotti
 
New Ohio Cybersecurity Law Requirements
bySkoda Minotti
 
Understanding Medicare
bySkoda Minotti
 
Five Digital Marketing Trends Your Company Needs to Know in 2019
bySkoda Minotti
 
Business Valuation Basics
bySkoda Minotti
 
The Importance of State and Local Tax Nexus
bySkoda Minotti
 

Recently uploaded

PDF
SEMINARIO BIOMOL.pdf (Samuel Cantillo y Karen Bohorquez)
bySamuelCantillo7
 
PPTX
Venous cutdown for Surgery Viva, MBBS Students
byCBME SURGERY
 
PPTX
Cardiovascular Disease ppt. S.Y D-Pharm.
byAkshata Jain
 
PPTX
ATA_2025_DTC_MCh_Detailed_Presentation.pptx
byAnbu Arasan
 
PDF
Seminario biología molecula - EBV-miR-BART5-3p
bysalvarez1862004
 
PPTX
ACTINOMYCETES- Introduction,Pathogenesis,clinical manifestations,Epidemiology...
byAmeenKhan59
 
PPTX
“Autoimmune Hemolytic Anemia (AIHA) with Pleural Effusion – Clinical Case Pre...
byPriyankapadvalkar
 
PPTX
SAPIENT3.0 Medi-trivia Quiz (FINALS) | F.A.Q. 2025
byDr. Anindya
 
PPTX
EQUIPMENT USED IN HEMATOLOGY LABORATORY.pptx
byKISMAT ALI
 
PPTX
FEBRUARY 2026 ONCOLOGY CARTOONS BY DR KANHU CHARAN PATRO
byKanhu Charan
 
PPTX
WHEN NOT TO DO TENDOACHILLES TENOTOMY.pptx
byUmeshPrasadChoudhary
 
PPTX
INTERCEPTIVE ORTHODONTICS in DENTISTRY.pptx
byChukwuebukaJoshuaOra
 
PPTX
HYPERTENSION III SEMESTER ADULT HEALTH NURSING-I
bykeerthi samuel
 
PPTX
The Autonomic Nervous System and Visceral Reflexes
bycotomato21
 
PPT
Treating With Precision in CRSwNP: Defining the Role of Targeted Biologic The...
byPVI, PeerView Institute for Medical Education
 
PPTX
Anatomy of temporal & infratemporal fossa.pptx
byClevin Aswani
 
PDF
Antitubercular agents medicinal chemistry.pdf
byPrerana Jadhav
 
PPTX
Preformulation Studies for new Pharmaceutical substances
byMenaka V
 
PPTX
Dental plaque dental plaque periodontology.pptx
bymohdx8884
 
PPTX
muscles of facial expressions and mastication.pptx
byClevin Aswani
 
SEMINARIO BIOMOL.pdf (Samuel Cantillo y Karen Bohorquez)
bySamuelCantillo7
 
Venous cutdown for Surgery Viva, MBBS Students
byCBME SURGERY
 
Cardiovascular Disease ppt. S.Y D-Pharm.
byAkshata Jain
 
ATA_2025_DTC_MCh_Detailed_Presentation.pptx
byAnbu Arasan
 
Seminario biología molecula - EBV-miR-BART5-3p
bysalvarez1862004
 
ACTINOMYCETES- Introduction,Pathogenesis,clinical manifestations,Epidemiology...
byAmeenKhan59
 
“Autoimmune Hemolytic Anemia (AIHA) with Pleural Effusion – Clinical Case Pre...
byPriyankapadvalkar
 
SAPIENT3.0 Medi-trivia Quiz (FINALS) | F.A.Q. 2025
byDr. Anindya
 
EQUIPMENT USED IN HEMATOLOGY LABORATORY.pptx
byKISMAT ALI
 
FEBRUARY 2026 ONCOLOGY CARTOONS BY DR KANHU CHARAN PATRO
byKanhu Charan
 
WHEN NOT TO DO TENDOACHILLES TENOTOMY.pptx
byUmeshPrasadChoudhary
 
INTERCEPTIVE ORTHODONTICS in DENTISTRY.pptx
byChukwuebukaJoshuaOra
 
HYPERTENSION III SEMESTER ADULT HEALTH NURSING-I
bykeerthi samuel
 
The Autonomic Nervous System and Visceral Reflexes
bycotomato21
 
Treating With Precision in CRSwNP: Defining the Role of Targeted Biologic The...
byPVI, PeerView Institute for Medical Education
 
Anatomy of temporal & infratemporal fossa.pptx
byClevin Aswani
 
Antitubercular agents medicinal chemistry.pdf
byPrerana Jadhav
 
Preformulation Studies for new Pharmaceutical substances
byMenaka V
 
Dental plaque dental plaque periodontology.pptx
bymohdx8884
 
muscles of facial expressions and mastication.pptx
byClevin Aswani
 

HIPAA Compliance: What Medical Practices and Their Business Associates Need to Know

  • 1.
    HIPAA Compliance: What MedicalPractices & Their Business Associates Need to Know August 29, 2013
  • 3.
    PRESENTER Brian Rosenfelt, CPA SkodaMinotti Risk Advisory Services • Former controller, CFO and operations executive in a variety of industries • Served as business process engineer with Kaiser Permanente • Leads Skoda Minotti’s HIPAA consulting practice • Deep understanding of accounting, technology and compliance
  • 4.
    AGENDA • • • • • • • HIPAA History Definitions Major Provisions 2013Omnibus Rules Compliance and Enforcement Risk Assessment Policies & Procedures
  • 5.
    WHAT IS HIPAA? •HIPAA: Health Insurance Portability & Accountability Act • Signed into law in 1996 • Federal law protecting the privacy of Protected Health Information (PHI) • The overall purpose is to ensure the security and privacy of individual health information
  • 6.
    HIPAA HITECH ACTOF 2009 Origins • Prior to 2009, HIPAA regulations were not being enforced consistently (if at all) • New act was meant to:  Strengthen controls and oversight of PHI  Improve breach notification requirements  Expand the definition of covered entities and business associates • Built on the heels of providing incentives for doctors and hospitals to implement Electronic Medical Record (EMR) systems
  • 7.
    DEFINITIONS • Protected HealthInformation (PHI) • Covered Entity • Business Associate
  • 8.
    PROTECTED HEALTH INFORMATION (PHI) Whatis PHI? • Oral or written information created by a healthcare provider or other entity that relates to someone’s health or condition, healthcare received, or healthcare payment • Unsecured PHI is data that is not encrypted Examples of PHI • • • • Medical information and records Billing information and records Medical insurance forms Lab results
  • 9.
    COVERED ENTITY VS. BUSINESSASSOCIATE Covered Entities • Health Care Provider (dentist, doctor, nursing home, pharmacy) • Health Plan (HMO, company health plan, health insurance companies) • Health Care Clearinghouse
  • 10.
    COVERED ENTITY VS. BUSINESSASSOCIATE Business Associates • • • • Attorneys Accountants Consultants Third Party Administrator (claims processing, etc.) • Anyone who does, or could come into contact with PHI • Others  Document shredding company  Cleaning company  Software company Business associates can be anyone with access to or potential access to health information.
  • 11.
    MAJOR PROVISIONS • • • • • Privacy Rule SecurityRule Breach Notification Rule Enforcement Rule Unique Identifiers Rule
  • 12.
    PRIVACY RULE • Appliesto use and disclosure of PHI • Reason for HIPAA language and forms you sign at your doctor’s office • Requires patient authorization for certain disclosures (release of medical information to employer, relative, etc.) • Disclosure permitted for treatment and/or payment purposes
  • 13.
    SECURITY RULE • Appliesto the securing of ePHI (electronic protected health information) • Requires implementation of three types of safeguards:  Administrative (policies and procedures)  Physical (access to server room, access to patient paper records)  Technical (email encryption, password policies, technical auditing)
  • 14.
    BREACH NOTIFICATION RULE • Riskof Harm evaluation (old rule) • Risk Assessment and “Low Probability” (new rule) • What should the Risk Assessment look for?     Type of PHI compromised Who compromised the PHI Was the PHI actually viewed How was the breach/violation mitigated
  • 15.
    A LONG TIMECOMING … • Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted on February 17, 2009 • Proposed Regulations: July 14, 2010 • Final “Omnibus” HIPAA Regulations: January 25, 2013  Effective Date: March 26, 2013  Compliance Date: September 23, 2013 • Copy of final regulations: http://1.usa.gov/Wl60lE  138 pages
  • 16.
    MAJOR CHANGES WITH THENEW RULES Business Associate Liability Increased • Business Associates are now covered DIRECTLY under HIPAA (same rules and regulations as Covered Entities) • Security and privacy rules now apply to Business Associates • Information can only be used per contract language • Penalties now apply to Business Associates • Business Associates are now responsible for sub-Business Associates
  • 17.
  • 18.
    KEY CHANGES DUE TOHIPAA HITECH Breach Notification Rules • Requires Covered Entities and Business Associates to provide notification following a breach of unsecured PHI • Similar breach notification rules for vendors of personal health records and their 3rd party service providers • Covered Entities must notify affected individuals within 60 calendar days of the discovery • If the breach effects more than 500 individuals, the media and Department of Health and Human Services must be notified • Business Associates are obligated to report breaches to Covered Entity
  • 19.
    KEY CHANGES DUE TOHIPAA HITECH Business Associate Responsibilities • Must implement applicable privacy provisions • Must implement all of the HITECH security provisions • Now subject to the same civil and criminal penalties as Covered Entities • Contracts between Covered Entities and Business Associates must be amended to include new HITECH provisions
  • 20.
    HIPAA COMPLIANCE & ENFORCEMENT OriginalRule • U.S. Department of Health & Human Services regulates and enforces HIPAA through its Office of Civil Rights (OCR) • Civil penalties: Fines start at $100 and can increase up to $25,000 • Criminal penalties: Could include up to 10 years in prison and $250,000 HIPAA HITECH ACT of 2009 • State Attorneys General can also bring civil action in federal court if the interest of residents has been threatened or affected by a HIPAA violation
  • 21.
    HIPAA COMPLIANCE & ENFORCEMENT PotentialCivil Penalties Violation Category Section 1176(a)(1) Each Violation All such violations of an identical provision in a calendar year $100-$50,000 Up to $1,500,000 (B) Reasonable cause $1,000-$50,000 Up to $1,500,000 (C)(i) Willful neglect – Corrected $10,000-$50,000 Up to $1,500,000 (C)(ii) Willful neglect – Not Corrected $50,000 or more Up to $1,500,000 (A) Did not know SUMMARY: Fines are mandatory when failure to have training and reasonable procedures on proper disposal is discovered. HHS goes on to say that had they found proper training in the same case, the same incident would not have been deemed a case of willful neglect.
  • 22.
    HIPAA COMPLIANCE & ENFORCEMENT PotentialCriminal Penalties Type of Violation Potential Jail Sentence Unknowingly, or with reasonable cause Up to one year Under false pretenses Up to five years For personal gain or malicious reasons Up to ten years
  • 23.
    HIPAA COMPLIANCE & ENFORCEMENT Consequences •October 26, 2009: (Little Rock, Arkansas) sentencing of three healthcare workers who pled guilty to misdemeanor HIPAA violations based on accessing patient records without any reason • April 27, 2010: (California) press release entitled “Ex-UCLA Healthcare Employee Sentenced to Federal Prison for Illegally Peeking at Patient Records” – first person to be convicted and imprisoned for HIPAA offenses based only on unauthorized access of PHI
  • 24.
    HIPAA COMPLIANCE & ENFORCEMENT Consequences •January 9, 2012: Minnesota Attorney General brought action against Accretive Health, Inc. (a business associate, NOT a covered entity), in the wake of the theft of a company laptop computer that contained over 23,500 patient records • April 17, 2012: Phoenix Cardiac Surgery, P.C. agreed to pay $100,000 and take corrective action after they were found to have posted a patient appointment calendar online
  • 25.
    HOW TO GETCOMPLIANT Begin with a thorough RISK ASSESSMENT • Essential component of HIPAA compliance • Can help your organization identify its most critical areas of vulnerability • The Risk Assessment will form the basis of determining how risks should be managed and/or minimized • This is a necessary strategy to identify potential gaps in your security environment (physical and electronic) • Required by HIPAA
  • 26.
    HOW TO GETCOMPLIANT • Risk exposure decreases significantly when an organization knows where its PHI is stored and what procedures are in place to access it • A complete risk assessment examines four critical areas:     Process Governance People Technology
  • 27.
    UPDATING POLICIES & PROCEDURES •Assess the current policies and procedures (if they exist)  Breach notification requirements  Incident management procedures  Training requirements and procedures • Prior to HITECH, Business Associates did not need to produce documentation
  • 28.
    UPDATING POLICIES & PROCEDURES •Update documentation – address high risk areas first • A strong disciplinary policy is a necessity  Training without enforcement is of little value  Establish consequences for violation of HIPAA security policies  Take strong action against employees who violate policies and procedures (especially those that relate to security policies)
  • 29.
    UPDATING POLICIES & PROCEDURES •Training on policies and procedures is critical  Train based on the highest risk area according to your assessment  Regular, ongoing training for the entire workforce (no exceptions) is a must  Training focus on remote access and removable media is important (movement of ePHI)
  • 30.
    UPDATING POLICIES & PROCEDURES •Require all those with remote access or who use portable media of any type, to sign an attestation stating they:  Received the education  Agree to abide by the policies of the organization  Understand the risk to ePHI inherent in electronic use  Know the degree of discipline they face for violating the policies
  • 31.
    UPDATING POLICIES & PROCEDURES •HIPAA requires documentation to be retained for six years • The organization must be able to show that the documentation was available to the persons responsible for implementing the procedure • A procedure is required for reviewing documentation and ensuring it remains up-todate • Evidence of employee training and an acknowledgement of policies and procedures are also required
  • 32.
    INVOLVE EVERYONE • Interviewdepartment directors to understand their risk concerns and controls in place • Including them in the HIPAA security processes helps to ensure they will be educated and “on-board” with the controls you recommend • People are the most important component of an effective security program
  • 33.
    QUESTIONS? For additional informationabout Skoda Minotti’s HIPAA consulting and compliance services, contact us at: Brian Rosenfelt, CPA Skoda Minotti Technology Partners brosenfelt@skodaminotti.com (440) 449-6800 Website: www.skodaminotti.com Other Services: • Audit • Tax • IT Consulting • Phone Systems • Marketing • Investments • Security