This document provides information on how to implement HIPAA compliance. It begins by explaining what HIPAA is and who it impacts, such as health care providers, health plans, and clearinghouses. It defines protected health information and the obligations of covered entities and business associates. It emphasizes the importance of having business associate agreements, security policies, training programs, and conducting audits. It provides tips for securing data transmission, backups, access controls, and shredding paper records. The document stresses that HIPAA compliance is essential to avoid penalties for violations and data breaches.

1. HOW TO REALLY
IMPLEMENT
HIPAA
Presented by: Melissa Skaggs
Provider Resources Group

2. WHAT IS HIPAA
 The Health Insurance Portability and Accountability Act of 1996 (HIPAA;
Pub.L. 104–191, 110 Stat. 1936, enacted August 21, 1996) was enacted by the
United States Congress and signed by President Bill Clinton in 1996. It has been
known as the Kennedy-Kassebaum Act after two of its leading sponsors. Title I of
HIPAA protects health insurance coverage for workers and their families when
they change or lose their jobs. Title II of HIPAA, known as the Administrative
Simplification (AS) provisions, requires the establishment of national standards for
electronic health care transactions and national identifiers for providers, health
insurance plans, and employers.
 This act gives the right to privacy to individuals from age 12 through 18. The
provider must have a signed disclosure from the affected before giving out any
information on provided health care to anyone, including parents.
 The administrative simplification provisions also address the security and privacy
of health data. The standards are meant to improve the efficiency and
effectiveness of the nation's health care system by encouraging the widespread
use of electronic data interchange in the U.S. health care system.
www.wikipedia.com

5. WHO IS IMPACTED? DO I NEED TO
CARE?
Health care providers – A provider of medical, psychiatric, or other health
services, and any other person or entity furnishing health care services or supplies.
Health plans – an individual or group health plan that provides or pays the cost of
medical care.
Clearinghouses – A public or private entity that processes or facilitates the
processing of non-standard data elements of health information into standard data
elements and who transmits any health information in electronic form in
connection with a transaction covered in the legislation.
Business Associates and Trading Partners

6. WHAT IS PROTECTED HEALTH
INFORMATION
A person’s name, address, birth date, age, phone and fax numbers, e-mail address
Medical records, diagnosis, x-rays, photos, prescriptions, lab work, test results
Billing records, claim data, referral authorizations, explanation of benefits
Research records
Past, Present or Future condition or payment

7. Covered Entity (CE)
Any business entity that must comply with HIPAA regulations, which includes health-
care providers, health plans and health-care clearinghouses. For purposes of
HIPAA, health-care providers include hospitals, physicians and other caregivers. This
would include:
County Boards of DD
 Private Providers
 Agency Providers
 Therapy Providers
 Nursing Providers
 Behavioral Support Providers

8. Business Associate (BA)
A person or organization that performs a function or activity on behalf of a
covered entity, but is not part of the covered entity's workforce. A business
associate can also be a covered entity in its own right. This would include
any VENDOR or CONTRACTOR that comes in contact with individuals or
their information. Some examples……
Billing Agents
IT Providers
Software Providers (Intellinetics, Gatekeeper, CareTracker, Solona to name a
few)
Shredding Companies
Contracted Service Providers
COGS
Housing Providers
A Covered Entity must have a Business Associate Agreement on file for all
vendors classified as a Business Associate

9. Must establish the permitted and required uses and disclosures of protected
health information by the business associate and may not authorize further
disclosure in violation of the regulations
If the covered entity knows of a practice or pattern of activity that constitutes
a material breach of the business associate’s obligations under the contract,
the covered entity must take reasonable steps to ensure cure of the breach or
terminate the contract or report the problem to the Office of Civil Rights
BUSINESS ASSOCIATES CONTRACTS
MUST………

10. BUSINESS ASSOCIATES
OBLIGATIONS
Must not use or disclose protected health information in violation of the law or
contract.
Implement safeguards against improper use or disclosure.
Ensure that any agents or subcontractors agree to fulfill contractual and legal
obligations.
Afford individual access to records; make available records for amendment by the
individual; account to the individual for use or disclosure other than for payment,
treatment, or operations.
At termination of the contract, return or destroy protected health information.

11. What do We Need to Be Thinking About???????

12. JUST GIVE ME THE POLICIES
ALREADY
Policies should reflect how your organization is handling the
requirements of HIPAA
These policies should be reviewed annually at a minimum to ensure that
the policy is staying current with the organization and technology
Staff MUST be trained on HIPAA policies at least annually; keeping it out
in front on staff needs to be on going

13. Hardware, Software and Transmission Security
 Organizations should have a hardware firewall in place. Transmission of personal
information should be encrypted and comply with HIPAA. Policies should cover the
updating of hardware, firmware, operating systems and applications.
Disaster Backup and Recovery Plans
 Policies and Procedures should include a Disaster Backup and Recovery plan to ensure
the business can continue operations in the event of a disaster. This includes keeping
the business running, recovering lost data, testing of backup procedures and
replacement of equipment.
Training of Staff
 Organizations should provide a training program to raise awareness of HIPAA rights.
Every individual in the organization must be trained on a regular basis. Training should
be provided to include employee awareness, password safeguarding and
changing, workstation access, software use, virus and malware information and other
mission critical operations.
Record and Information Access
 Policies should define roles on who can have what access to programs and information.
These policies should further define the roles in information technology of the IT
personnel who have the rights to modify the access.

14. Some things to think about with Data Security
Secure Email System - Encryption
Secure File Transfer
Secure Website for Data transfer (if applicable)
Do we have a written Disaster Backup and Recovery Plan
Where is it
Who’s in charge of the plan
Have you tested your plan
Do you provide HIPAA training to all new staff and ongoing refresher
trainings (so it’s always kept out in front of staff)…do you test your staff
Who has access to staff and consumer information
Secure passwords(complex, set change schedule)
Systems set up so a user can access only needed information
Files saved with Password Protection

15. DO YOU AUDIT YOUR HIPAA
PROCESS
An audit process should be in place for your HIPAA process. It should
include
Hardware
Software
Data Controls
Department of Health and Human Services requires the Office of Civil Rights
(OCR) to audit covered entities and business associates compliance with
HIPAA Privacy, Security and Breach Notification Rules (See Audit Program
Protocol)Organizations responsible for HIPAA-covered data
now face one-in-20 odds of facing a HIPAA audit

16. SHREDDING PAPER THE HIPAA
WAYIn general, examples of proper disposal methods may include, but are not
limited to:
• For PHI in paper records,
Shredding Burning Pulping
Pulverizing
PHI is rendered essentially unreadable, indecipherable, and otherwise
cannot be reconstructed.
• Maintaining labeled prescription bottles and other PHI in opaque bags in a
secure area and using a disposal vendor as a business associate to pick up
and shred or otherwise destroy the PHI.
• For PHI on electronic media, clearing (using software or hardware products
to overwrite media with non-sensitive data), purging (degaussing or exposing
the media to a strong magnetic field in order to disrupt the recorded magnetic
domains), or destroying the media (disintegration, pulverization, melting,
incinerating, or shredding).

17. SECURITY FOR THOSE ON THE
Step 1: Assess your mobile users –
Understanding your users and their use cases is the first step toward
HIPAA compliance. Mobile devices are becoming increasingly common as
the industry rapidly converts from paper to electronic media.
Because of this, IT must now support a wide variety of ePHI, including
electronic patient records, email, multiple provider health care records and
clinical drug trial results. This mission is complicated by device ownership.
In typical scenarios, IT supports staff using personal devices to access
sensitive information. Now, in some cases—IT also issues user devices.
Documenting the flow of health care information to and from users and
their mobile devices is the upfront work that has to be completed before IT
can develop a comprehensive security strategy for remote access of ePHI.

18. Step 2: Bulletproof your security strategy
Privacyrights.org reported that in 2007 46 health care data breaches
occurred, involving 62 stolen or lost laptops with five million identities
compromised. The publicity surrounding these breaches has motivated many
IT organizations to develop a strategy to secure their laptops with data
encryption and password protection. Unfortunately, the same cannot be said
for handheld devices.
What organizations may miss is that rapidly evolving smartphones and PDAs are quickly becoming
the everyday PC, with multiple modes of communication, significant processing power and large
storage capabilities. This by itself makes today's mobile devices subject to the same risks as laptops.
However, handheld mobile devices have several characteristics that make them even more
vulnerable than laptops. Their small size makes them substantially more likely to be lost or stolen,
and their low cost enables users to easily replace them if lost. Unlike IT-issued laptops, users do not
have a compelling reason to report a data breach if they can easily replace the device for a low cost.

19. Step 3: Build your security solution
Unfortunately, the CMS guidance creates multiple technical
challenges for IT departments including endpoint security, network
access control and user compliance.
So what should IT look for in a solution? Laptop support is a
must, but ultimately full HIPAA compliance also requires robust
support across a diverse set of handheld mobile devices, use cases
and ownership scenarios. The ideal system must include:
 A self-service portal to allow end-users to load security software and
policies on personal devices.
 A flexible device agent that enables IT to secure and manage a wide
variety of device platforms for phones and tablets.
 Policy-controlled security that protects against hacker access and device
loss.
 A centralized management console with integrated help desk capabilities
to simplify policy implementation and user support.
 A compliance management and reporting facility to ensure users adhere
to IT policy

20. Step 4: Enforce your policies
An organization's HIPAA security policies are only effective if users comply
with them — so make sure that your mobile device security policies are
understood, by all users and enforced.
OCR will be looking to ensure that policies were followed if there is a data
breach.
Policies need to be enforced with no respect to person/position.

21. Step 5: Go public
Advertise your efforts in HIPAA compliance
Marketing Material
Website
County and State agencies
Individuals and Families served

22. SO WHAT ARE THEY REALLY LOOKING FOR
 Employee training and review
 Vigilant implementation of policies and procedures
 Regular internal audits
 Prompt action plan to respond to incidents
 Risk analysis and ongoing risk management (Security Rule)
OCR Presentation February 2014

23. SCAN…..ITS A BIG DEAL
One sure fire way of protecting yourself in
a disaster, audits or HIPAA is to scan
documents
Lots of options out there for scanning and
Protecting the information
Any IMPORTANT paper that cannot be
recreated needs to be scanned
Some are here at the conference…check
them out

24. HIPAA BREACH

25. REAL LIFE VIOLATIONS
Initial early penalties for HIPAA violations were described as a "joke," with
most enterprises unmoved by the risk of paying out potential settlements.
However, the passage of the Health Information Technology for Economic
and Clinical Health (HITECH) Act in February 2009 completely changed this
attitude, with HIPAA penalties now reaching millions of dollars.
Cases in point:
Cignet's $4.3 million fine in 2011 for denying patients access to medical
records
$1.5 million fine to Massachusetts Eye and Ear Infirmary for a data
compromise involving a lost laptop.
http://www.hhs.gov/ocr/privacy/hipaa/administrat
ive/breachnotificationrule/breachtool.html

26. HIPAA
COMPLIANCE/ENFORCEMENT
(AS OF DECEMBER 31, 2012)
TOTAL (since 2003)
Complaints Filed 77,200
Cases Investigated 27,500
Cases with Corrective Action 18,600
Civil Monetary Penalties &
Resolution Agreements (since
2008)
$14.9 million
Information from OCR Presentation to Tech Alliance February 2014

27. Theft –
Unauthorize
d Access or
Disclosure
Loss –
Hacking
Imprope
r
Disposa
l
Unknow
n

28. Location of Breach Laptop
Paper Records
Desktop
Computer
Portable
Devices
Network Server
Other
Email
EMR

29. ONE FINAL THOUGHT FROM OCR
OCR Investigator – Wandah Hardy

30. IT’s A WRAP