Thrissur Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Keys To HIPAA Compliance
1. KEYS TO HIPAA
COMPLIANCE
for CAAP Practice Managers
Amy Wasdin, RN, MBA, CPHRM
Patient Safety Risk Manager II, Dept. of Patient Safety and Risk Management
The Doctors Company
March 17, 2016
2. DISCLOSURE STATEMENT
The Doctors Company would like to disclose that no one in a
position to control or influence the content of this activity has
reported relevant financial relationships with commercial
interests.
The information and guidelines contained in this activity are
generalized and may not apply to all practice situations. The
faculty recommends that legal advice be obtained from a
qualified attorney for specific application to your practice. The
information is intended for educational purposes and should be
used as a reference guide only.
2 KEYS TO HIPAA COMPLIANCE for Practice Managers
3. OBJECTIVES
After completing this activity, learners will be able to:
Review the purpose of the HIPAA Privacy and Security Rules
Discuss the 2013 Omnibus Rule and its impact on:
− Disclosures of Protected Health Information,
− Patient Rights, and
− Business Associates
Describe the notifications necessary for a breach of PHI.
Outline the steps necessary for HIPAA compliance in a medical practice.
KEYS TO HIPAA COMPLIANCE for Practice Managers3
4. I never had a policy;
I have just tried to do my very best each
and every day.
--Abraham Lincoln
1809-1865
5. How HIPAA compliant are you?
Select one:
A. I am 100% confident that our practice is HIPAA
compliant.
B. I am fairly certain that our practice is HIPAA
compliant but I’m not sure.
C. Our practice is not HIPAA compliant.
D. What’s HIPAA?
5 KEYS TO HIPAA COMPLIANCE for Practice Managers
6. KEY CONCEPTS UNDER HIPAA
Protected Health Information (PHI)
− All individually identifiable health information
− Held or transmitted by a covered entity or its business associate
− In any form or media, whether electronic, paper, or oral
Covered Entity (CE)
− Health plan or health care clearinghouse
− Health care provider
Business Associates (BA)
− Persons or organizations that perform certain functions on behalf of a
CE (billing, claims processing, data analysis)
6 KEYS TO HIPAA COMPLIANCE for Practice Managers
7. OVERVIEW OF HIPAA
Healthcare Insurance Portability and Accountability Act:
the Privacy Rule and the Security Rule
Protects privacy and confidentiality of PHI
Assures security of electronic information
The overall idea:
− Assure information is properly protected, but still promote flow and use
of technology to facilitate care
Some state laws are more stringent than HIPAA
− If so, state law takes precedent over federal HIPAA
7 KEYS TO HIPAA COMPLIANCE for Practice Managers
8. HIPAA VIOLATIONS
ON THE RISE…
Total complaints received thru Dec 31, 2015:
125,4451
2014 saw a 25% increase in HIPAAA breaches2
− 2013: Loss and theft of laptops and portable devices.
− 2014: “The year of the hacker” - CHS: 4.5 million patients
Paper records are as vulnerable, or more, than
electronic records3
[1] HHS Compliance and Enforcement Numbers at a Glance. Mar 11 2016. www.hhs.gov
[2] 2014 Saw 25% Increase in HIPAA Breaches. Mar 11 2016. www.hipaajournal.com
[3] HIPAA in a HITECH World: HIPAA Violations on the Rise. Smart Data Collective, March 25, 2013
8 KEYS TO HIPAA COMPLIANCE for Practice Managers
9. HIPAA FINES…
Alaska DHHS fined $1.7 million
− USB device stolen from employee vehicle
Cignet Health fined $4.3 million
− Failure to provide medical records to 41 patients
UCLA fined $865,500
− Snooping employees
CVS fined $2.25 million
− Disposal of PHI in trashcans
Blue Cross of Tennessee fined $1.5 million
− Unencrypted laptops stolen
9 KEYS TO HIPAA COMPLIANCE for Practice Managers
10. DATA BREACH:
GEORGIA HOSPICE GROUP
Unencrypted company laptop containing personal health
information was stolen from an employee's car in 2013.
Nearly 2,000 patients affected by the breach. Officials say
the laptop contained patient names, addresses, phone
numbers, dates of birth, Social Security numbers, insurance
numbers, clinical diagnoses and provider names.
Healthcare IT News - February 2013
10 KEYS TO HIPAA COMPLIANCE for Practice Managers
11. CARDIAC SURGERY PRACTICE
April 2012–Phoenix Cardiac Surgery
$100,000 with Corrective Action Plan
Failed to implement policies to safeguard PHI
Failed to document training of employees on Privacy
and Security Rules
Failed to identify a security official and conduct
risk analysis
Failed to have BA agreements with Internet based
e-mail and calendar services where provision of the
service included storage of and access to its PHI
11 KEYS TO HIPAA COMPLIANCE for Practice Managers
12. PHI 18 IDENTIFIERS
Name
Medical record number
Health plan beneficiary number
Device identifiers and serial
numbers
Vehicle identifiers and serial
numbers
Biometric identifiers
(i.e., finger and voice prints)
Full face photos and other
comparable images
Any other unique identifying
number, code, or characteristic
Postal address
All elements of dates except year
Telephone number
Fax number
E-mail address
URL address (Uniform Resource
Locator or web address)
IP security (Internet Protocol
address numbers)
Social Security number
Account numbers
License numbers
12 KEYS TO HIPAA COMPLIANCE for Practice Managers
13. Patient consent not required for…
Use in treatment, payment, or operations (TPO)
When records are subpoenaed
− Check with MPL carrier for subpoena validity
Public interest or public health activities–required
by law:
− Mandated report of abuse to proper agencies
− Preventing and controlling disease–CDC reports
− FDA
AUTHORIZED
USE AND DISCLOSURE
13 KEYS TO HIPAA COMPLIANCE for Practice Managers
14. AUTHORIZED
USE AND DISCLOSURE
Most of the time…
Valid Authorization is required to release records to
another party
Specific consent required for…
Psychotherapy notes
Alcohol and drug abuse treatment program notes
Participation in research studies
−Even for re-disclosure of any of the above
14 KEYS TO HIPAA COMPLIANCE for Practice Managers
(continued)
15. SECURITY SAFEGUARDS
Administrative
– Security Risk Assessment
– Designated Privacy Officer
– Policies and Procedures
– Staff training
Physical
Technical
15 KEYS TO HIPAA COMPLIANCE for Practice Managers
16. THE FINAL
OMNIBUS HIPAA RULE
Effective March 26, 2013
Enforcement began September 23, 2013
− HITECH Modification
− HIPAA Enforcement Rule
− Breach Notification Rule
16 KEYS TO HIPAA COMPLIANCE for Practice Managers
17. WHO DID
THE CHANGES AFFECT?
HIPAA Covered Entities:
− Healthcare providers, health systems, health plans, clearinghouses
HIPAA Business Associates and subcontractors:
− Vendors who contract with Covered Entities and access protected
health information (PHI)
−Examples: Technology vendors, service organizations,
accountable care organizations, third party administrators
17 KEYS TO HIPAA COMPLIANCE for Practice Managers
18. OMNIBUS RULE - HITECH
Holds BA’s directly liable for compliance;
Strengthens limitation on use and disclosure
of PHI;
Expands individual’s rights
How does this impact practice? …
Notice of Privacy Practices (NPP)
18 KEYS TO HIPAA COMPLIANCE for Practice Managers
19. NPP MODIFICATIONS
Prohibition on the sale of PHI without authorization
Duty of CE to notify affected individuals of a breach
of unsecured PHI
Right to restrict disclosures of PHI to health plan for
care that was paid out of pocket in full
For CE that stated intent to fundraise in NPP, must
also advise individual of the right to opt out of
receiving fundraising communications from CE
19 KEYS TO HIPAA COMPLIANCE for Practice Managers
20. NPP NOTIFICATION
TO PATIENTS
Must make the NPP available upon request on or
after the effective date of the revision
Must make the NPP available at the service
delivery site and post the NPP in a clear and
prominent location
A health care provider is required to give a copy of
its NPP only to new patients—and not all
individuals seeking treatment
20 KEYS TO HIPAA COMPLIANCE for Practice Managers
21. OMNIBUS – HIPAA
ENFORCEMENT RULE
Modifies privacy, security, and enforcement rule
of HIPAA
How does this impact the practice? ...
Penalties
21 KEYS TO HIPAA COMPLIANCE for Practice Managers
22. OMNIBUS – BREACH
NOTIFICATION RULE
Establishes a process for notifying patients and HHS
when there is a breach of unsecured PHI.
How does this impact the practice? ...
CE’s are required to notify patients.
22 KEYS TO HIPAA COMPLIANCE for Practice Managers
23. BREACH OF PHI
Any acquisition, access, use or disclosure
not permitted is a Breach…
UNLESS
the CE or BA demonstrates
a low probability of PHI compromise.
23 KEYS TO HIPAA COMPLIANCE for Practice Managers
24. BREACH NOTIFICATION
OF UNSECURED PHI
Applies to breach of unsecured PHI
Applies to covered entities and business associates
Business Associates notify Covered Entity
Covered entity has burden to notify
patient (unencrypted)
Must notify each individual affected by the breach
(written notification within 60 days of discovery)
Discovery date = first date known
24 KEYS TO HIPAA COMPLIANCE for Practice Managers
25. BREACH EXCEPTIONS
Unintentional acquisition, access, or use by
workforce member with no further impermissible use
Inadvertent disclosure from one authorized person to
another or CE or BA and no further impermissible use
Recipient could not reasonably have retained the PHI
Encrypted data per OCR guidance
25 KEYS TO HIPAA COMPLIANCE for Practice Managers
26. BREACH
NOTIFICATION REQUIREMENTS
Individual
− Contact by phone if urgent
− Written breach notification – first class mail unless e-mail preferred
HHS
− <500 = Annual log report
− >500 = Media notice and immediate notice HHS Secretary
Annual report to HHS of all breaches
Media
− <500 residents of a state or jurisdiction
− Insufficient contact information for 10 or more individuals
26 KEYS TO HIPAA COMPLIANCE for Practice Managers
27. BREACH
NOTIFICATION REQUIREMENTS
What happened?
What information was breached?
What steps the patient should take for protection?
What the CE is doing to investigate, mitigate and prevent
future incidents?
CE contact information
Adhere to HIPAA Compliance plan for breach
27 KEYS TO HIPAA COMPLIANCE for Practice Managers
(continued)
28. BREACH RESPONSE
–WHAT IS YOUR PLAN?
Determine root cause of breach
Identify gaps in compliance that led to breach
Provide evidence that root cause has been addressed and
gaps corrected
28 KEYS TO HIPAA COMPLIANCE for Practice Managers
29. TOP FIVE ISSUES
IN INVESTIGATED CASES
OCR took corrective action most often on…
Impermissible use and disclosure
Safeguards
− Not in place–fax, email, computer accessibility, etc.
Access
− Access to records was granted or not granted improperly
Minimum necessary
− More information than needed was disclosed (e.g., phone message)
Notice of privacy practices
– Not given
29 KEYS TO HIPAA COMPLIANCE for Practice Managers
30. BUSINESS ASSOCIATES
AGREEMENTS
Business Associate Agreements must be updated to include
specific new provisions
Existing agreements, entered before January 25, 2013, may
operate until agreement is amended / renewed, or until
September 22, 2014, whichever is earlier
Covered Entities and Business Associates will need to
modify agreements and allocate risk through use of
insurance requirements and indemnity provisions
30 KEYS TO HIPAA COMPLIANCE for Practice Managers
32. WHAT ACTIONS ARE REQUIRED?
Perform risk assessment.
Establish risk management plan to address and manage
areas of vulnerability.
Designate a HIPAA Security officer.
Encrypt all devices that contact PHI
Have written policies on Sanctions and Breach Notification
Train staff on how to protect PHI and ensure your policies
are compliance with HIPAA
Audit/Test physical and electronic security policies and
procedures regularly
Documentation
32 KEYS TO HIPAA COMPLIANCE for Practice Managers
33. IF NOT ALREADY ADDRESSED…
Update Notice of Privacy Practices
Revise all Business Associates Agreements
33 KEYS TO HIPAA COMPLIANCE for Practice Managers
34. Testing Your Compliance
Select One:
A. I am 100% confident that our practice is HIPAA
compliant.
B. I am fairly certain that our practice is HIPAA
compliant but I’m not sure.
C. Our practice is not HIPAA compliant.
D. What’s HIPAA?
34 KEYS TO HIPAA COMPLIANCE for Practice Managers
35. TIPS FOR
PRIVACY AND SECURITY
Limit access to a “need to know” basis
Do not conduct discussion in elevators, waiting area, or
other public areas
If you see a patient in a public place, be careful in greeting
him/her
Obtain patient’s permission before discussing
care/treatment if there is someone with him/her
Keep voices down when discussing PHI
Log off computer when done
35 KEYS TO HIPAA COMPLIANCE for Practice Managers
36. TIPS FOR
PRIVACY AND SECURITY
Use password protected or encrypted systems
Never share your password
Protect zip drives, laptop, PDA from loss
Never leave documents unattended
Do not put PHI in the trash
Avoid taking records out of the office if possible
Obtain written permission before leaving voicemail
messages or emailing
Confirm fax numbers before sending and use a
confidentiality statement on your cover sheet
36 KEYS TO HIPAA COMPLIANCE for Practice Managers
(continued)
37. RESOURCES
Security Risk Assessment – HealthIT.gov
www.healthit.gov/providers-professionals/security-risk-assessment
Sample Notice of Privacy Practices-English
www.hhs.gov/ocr/privacy/hipaa/npp_fullpage_hc_provider.pdf
Sample Business Associates Agreement
www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractpro
v.html
Take Steps to Protect and Secure Information When Using a Mobile Device
www.healthit.gov/sites/default/files/fact-sheet-take-steps-to-protect-
information.pdf
Security Rule Educational Paper Series
http://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html
37 KEYS TO HIPAA COMPLIANCE for Practice Managers
38. The key to wisdom is
knowing all the right questions.
--John Simone, Sr. --
39. Contact Information
For additional Patient Safety information,
please visit our Web site at:
www.thedoctors.com
Amy Wasdin, RN, MBA, CPHRM
Patient Safety Risk Manager II, Southeast
Department of Patient Safety and Risk Management
800-421-2368, ext 6728
Email: awasdin@thedoctors.com
----------------------------------------------------------------------------------------------------------------
Nelson Guzman, CIC, CRM
President, CBIZ Trinity
Southeast Regional Healthcare Director, CBIZ Insurance Services
Mobile: 404-791-8822
Email: nguzman@cbiztrinity.com
Evan Orvis, Sales Executive
Mobile: 770-712-3903
Direct: 470-282-2536
Email: eorvis@cbiz.com
Kathy Alba, CISR, CLCS
Senior Account Manager
Direct: 678-389-7858
Email: kalba@cbiz.com
39 KEYS TO HIPAA COMPLIANCE for Practice Managers