Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Keys To HIPAA Compliance

1.748 Aufrufe

Veröffentlicht am

The Doctors Company Presentation by Amy Wasdin on the keys to HIPPA compliance.

Veröffentlicht in: Gesundheitswesen
  • Loggen Sie sich ein, um Kommentare anzuzeigen.

Keys To HIPAA Compliance

  1. 1. KEYS TO HIPAA COMPLIANCE for CAAP Practice Managers Amy Wasdin, RN, MBA, CPHRM Patient Safety Risk Manager II, Dept. of Patient Safety and Risk Management The Doctors Company March 17, 2016
  2. 2. DISCLOSURE STATEMENT The Doctors Company would like to disclose that no one in a position to control or influence the content of this activity has reported relevant financial relationships with commercial interests. The information and guidelines contained in this activity are generalized and may not apply to all practice situations. The faculty recommends that legal advice be obtained from a qualified attorney for specific application to your practice. The information is intended for educational purposes and should be used as a reference guide only. 2 KEYS TO HIPAA COMPLIANCE for Practice Managers
  3. 3. OBJECTIVES After completing this activity, learners will be able to:  Review the purpose of the HIPAA Privacy and Security Rules  Discuss the 2013 Omnibus Rule and its impact on: − Disclosures of Protected Health Information, − Patient Rights, and − Business Associates  Describe the notifications necessary for a breach of PHI.  Outline the steps necessary for HIPAA compliance in a medical practice. KEYS TO HIPAA COMPLIANCE for Practice Managers3
  4. 4. I never had a policy; I have just tried to do my very best each and every day. --Abraham Lincoln 1809-1865
  5. 5. How HIPAA compliant are you? Select one: A. I am 100% confident that our practice is HIPAA compliant. B. I am fairly certain that our practice is HIPAA compliant but I’m not sure. C. Our practice is not HIPAA compliant. D. What’s HIPAA? 5 KEYS TO HIPAA COMPLIANCE for Practice Managers
  6. 6. KEY CONCEPTS UNDER HIPAA  Protected Health Information (PHI) − All individually identifiable health information − Held or transmitted by a covered entity or its business associate − In any form or media, whether electronic, paper, or oral  Covered Entity (CE) − Health plan or health care clearinghouse − Health care provider  Business Associates (BA) − Persons or organizations that perform certain functions on behalf of a CE (billing, claims processing, data analysis) 6 KEYS TO HIPAA COMPLIANCE for Practice Managers
  7. 7. OVERVIEW OF HIPAA Healthcare Insurance Portability and Accountability Act: the Privacy Rule and the Security Rule  Protects privacy and confidentiality of PHI  Assures security of electronic information  The overall idea: − Assure information is properly protected, but still promote flow and use of technology to facilitate care  Some state laws are more stringent than HIPAA − If so, state law takes precedent over federal HIPAA 7 KEYS TO HIPAA COMPLIANCE for Practice Managers
  8. 8. HIPAA VIOLATIONS ON THE RISE…  Total complaints received thru Dec 31, 2015: 125,4451  2014 saw a 25% increase in HIPAAA breaches2 − 2013: Loss and theft of laptops and portable devices. − 2014: “The year of the hacker” - CHS: 4.5 million patients  Paper records are as vulnerable, or more, than electronic records3 [1] HHS Compliance and Enforcement Numbers at a Glance. Mar 11 2016. www.hhs.gov [2] 2014 Saw 25% Increase in HIPAA Breaches. Mar 11 2016. www.hipaajournal.com [3] HIPAA in a HITECH World: HIPAA Violations on the Rise. Smart Data Collective, March 25, 2013 8 KEYS TO HIPAA COMPLIANCE for Practice Managers
  9. 9. HIPAA FINES…  Alaska DHHS fined $1.7 million − USB device stolen from employee vehicle  Cignet Health fined $4.3 million − Failure to provide medical records to 41 patients  UCLA fined $865,500 − Snooping employees  CVS fined $2.25 million − Disposal of PHI in trashcans  Blue Cross of Tennessee fined $1.5 million − Unencrypted laptops stolen 9 KEYS TO HIPAA COMPLIANCE for Practice Managers
  10. 10. DATA BREACH: GEORGIA HOSPICE GROUP Unencrypted company laptop containing personal health information was stolen from an employee's car in 2013. Nearly 2,000 patients affected by the breach. Officials say the laptop contained patient names, addresses, phone numbers, dates of birth, Social Security numbers, insurance numbers, clinical diagnoses and provider names. Healthcare IT News - February 2013 10 KEYS TO HIPAA COMPLIANCE for Practice Managers
  11. 11. CARDIAC SURGERY PRACTICE April 2012–Phoenix Cardiac Surgery  $100,000 with Corrective Action Plan  Failed to implement policies to safeguard PHI  Failed to document training of employees on Privacy and Security Rules  Failed to identify a security official and conduct risk analysis  Failed to have BA agreements with Internet based e-mail and calendar services where provision of the service included storage of and access to its PHI 11 KEYS TO HIPAA COMPLIANCE for Practice Managers
  12. 12. PHI 18 IDENTIFIERS  Name  Medical record number  Health plan beneficiary number  Device identifiers and serial numbers  Vehicle identifiers and serial numbers  Biometric identifiers (i.e., finger and voice prints)  Full face photos and other comparable images  Any other unique identifying number, code, or characteristic  Postal address  All elements of dates except year  Telephone number  Fax number  E-mail address  URL address (Uniform Resource Locator or web address)  IP security (Internet Protocol address numbers)  Social Security number  Account numbers  License numbers 12 KEYS TO HIPAA COMPLIANCE for Practice Managers
  13. 13. Patient consent not required for…  Use in treatment, payment, or operations (TPO)  When records are subpoenaed − Check with MPL carrier for subpoena validity  Public interest or public health activities–required by law: − Mandated report of abuse to proper agencies − Preventing and controlling disease–CDC reports − FDA AUTHORIZED USE AND DISCLOSURE 13 KEYS TO HIPAA COMPLIANCE for Practice Managers
  14. 14. AUTHORIZED USE AND DISCLOSURE Most of the time…  Valid Authorization is required to release records to another party Specific consent required for…  Psychotherapy notes  Alcohol and drug abuse treatment program notes  Participation in research studies −Even for re-disclosure of any of the above 14 KEYS TO HIPAA COMPLIANCE for Practice Managers (continued)
  15. 15. SECURITY SAFEGUARDS  Administrative – Security Risk Assessment – Designated Privacy Officer – Policies and Procedures – Staff training  Physical  Technical 15 KEYS TO HIPAA COMPLIANCE for Practice Managers
  16. 16. THE FINAL OMNIBUS HIPAA RULE  Effective March 26, 2013  Enforcement began September 23, 2013 − HITECH Modification − HIPAA Enforcement Rule − Breach Notification Rule 16 KEYS TO HIPAA COMPLIANCE for Practice Managers
  17. 17. WHO DID THE CHANGES AFFECT?  HIPAA Covered Entities: − Healthcare providers, health systems, health plans, clearinghouses  HIPAA Business Associates and subcontractors: − Vendors who contract with Covered Entities and access protected health information (PHI) −Examples: Technology vendors, service organizations, accountable care organizations, third party administrators 17 KEYS TO HIPAA COMPLIANCE for Practice Managers
  18. 18. OMNIBUS RULE - HITECH  Holds BA’s directly liable for compliance;  Strengthens limitation on use and disclosure of PHI;  Expands individual’s rights How does this impact practice? … Notice of Privacy Practices (NPP) 18 KEYS TO HIPAA COMPLIANCE for Practice Managers
  19. 19. NPP MODIFICATIONS  Prohibition on the sale of PHI without authorization  Duty of CE to notify affected individuals of a breach of unsecured PHI  Right to restrict disclosures of PHI to health plan for care that was paid out of pocket in full  For CE that stated intent to fundraise in NPP, must also advise individual of the right to opt out of receiving fundraising communications from CE 19 KEYS TO HIPAA COMPLIANCE for Practice Managers
  20. 20. NPP NOTIFICATION TO PATIENTS  Must make the NPP available upon request on or after the effective date of the revision  Must make the NPP available at the service delivery site and post the NPP in a clear and prominent location  A health care provider is required to give a copy of its NPP only to new patients—and not all individuals seeking treatment 20 KEYS TO HIPAA COMPLIANCE for Practice Managers
  21. 21. OMNIBUS – HIPAA ENFORCEMENT RULE Modifies privacy, security, and enforcement rule of HIPAA How does this impact the practice? ... Penalties 21 KEYS TO HIPAA COMPLIANCE for Practice Managers
  22. 22. OMNIBUS – BREACH NOTIFICATION RULE Establishes a process for notifying patients and HHS when there is a breach of unsecured PHI. How does this impact the practice? ... CE’s are required to notify patients. 22 KEYS TO HIPAA COMPLIANCE for Practice Managers
  23. 23. BREACH OF PHI Any acquisition, access, use or disclosure not permitted is a Breach… UNLESS the CE or BA demonstrates a low probability of PHI compromise. 23 KEYS TO HIPAA COMPLIANCE for Practice Managers
  24. 24. BREACH NOTIFICATION OF UNSECURED PHI  Applies to breach of unsecured PHI  Applies to covered entities and business associates  Business Associates notify Covered Entity  Covered entity has burden to notify patient (unencrypted)  Must notify each individual affected by the breach (written notification within 60 days of discovery)  Discovery date = first date known 24 KEYS TO HIPAA COMPLIANCE for Practice Managers
  25. 25. BREACH EXCEPTIONS  Unintentional acquisition, access, or use by workforce member with no further impermissible use  Inadvertent disclosure from one authorized person to another or CE or BA and no further impermissible use  Recipient could not reasonably have retained the PHI  Encrypted data per OCR guidance 25 KEYS TO HIPAA COMPLIANCE for Practice Managers
  26. 26. BREACH NOTIFICATION REQUIREMENTS  Individual − Contact by phone if urgent − Written breach notification – first class mail unless e-mail preferred  HHS − <500 = Annual log report − >500 = Media notice and immediate notice HHS Secretary Annual report to HHS of all breaches  Media − <500 residents of a state or jurisdiction − Insufficient contact information for 10 or more individuals 26 KEYS TO HIPAA COMPLIANCE for Practice Managers
  27. 27. BREACH NOTIFICATION REQUIREMENTS  What happened?  What information was breached?  What steps the patient should take for protection?  What the CE is doing to investigate, mitigate and prevent future incidents?  CE contact information  Adhere to HIPAA Compliance plan for breach 27 KEYS TO HIPAA COMPLIANCE for Practice Managers (continued)
  28. 28. BREACH RESPONSE –WHAT IS YOUR PLAN?  Determine root cause of breach  Identify gaps in compliance that led to breach  Provide evidence that root cause has been addressed and gaps corrected 28 KEYS TO HIPAA COMPLIANCE for Practice Managers
  29. 29. TOP FIVE ISSUES IN INVESTIGATED CASES OCR took corrective action most often on…  Impermissible use and disclosure  Safeguards − Not in place–fax, email, computer accessibility, etc.  Access − Access to records was granted or not granted improperly  Minimum necessary − More information than needed was disclosed (e.g., phone message)  Notice of privacy practices – Not given 29 KEYS TO HIPAA COMPLIANCE for Practice Managers
  30. 30. BUSINESS ASSOCIATES AGREEMENTS  Business Associate Agreements must be updated to include specific new provisions  Existing agreements, entered before January 25, 2013, may operate until agreement is amended / renewed, or until September 22, 2014, whichever is earlier  Covered Entities and Business Associates will need to modify agreements and allocate risk through use of insurance requirements and indemnity provisions 30 KEYS TO HIPAA COMPLIANCE for Practice Managers
  31. 31. PUTTING IT ALL TOGETHER
  32. 32. WHAT ACTIONS ARE REQUIRED?  Perform risk assessment.  Establish risk management plan to address and manage areas of vulnerability.  Designate a HIPAA Security officer.  Encrypt all devices that contact PHI  Have written policies on Sanctions and Breach Notification  Train staff on how to protect PHI and ensure your policies are compliance with HIPAA  Audit/Test physical and electronic security policies and procedures regularly  Documentation 32 KEYS TO HIPAA COMPLIANCE for Practice Managers
  33. 33. IF NOT ALREADY ADDRESSED…  Update Notice of Privacy Practices  Revise all Business Associates Agreements 33 KEYS TO HIPAA COMPLIANCE for Practice Managers
  34. 34. Testing Your Compliance Select One: A. I am 100% confident that our practice is HIPAA compliant. B. I am fairly certain that our practice is HIPAA compliant but I’m not sure. C. Our practice is not HIPAA compliant. D. What’s HIPAA? 34 KEYS TO HIPAA COMPLIANCE for Practice Managers
  35. 35. TIPS FOR PRIVACY AND SECURITY  Limit access to a “need to know” basis  Do not conduct discussion in elevators, waiting area, or other public areas  If you see a patient in a public place, be careful in greeting him/her  Obtain patient’s permission before discussing care/treatment if there is someone with him/her  Keep voices down when discussing PHI  Log off computer when done 35 KEYS TO HIPAA COMPLIANCE for Practice Managers
  36. 36. TIPS FOR PRIVACY AND SECURITY  Use password protected or encrypted systems  Never share your password  Protect zip drives, laptop, PDA from loss  Never leave documents unattended  Do not put PHI in the trash  Avoid taking records out of the office if possible  Obtain written permission before leaving voicemail messages or emailing  Confirm fax numbers before sending and use a confidentiality statement on your cover sheet 36 KEYS TO HIPAA COMPLIANCE for Practice Managers (continued)
  37. 37. RESOURCES  Security Risk Assessment – HealthIT.gov www.healthit.gov/providers-professionals/security-risk-assessment  Sample Notice of Privacy Practices-English www.hhs.gov/ocr/privacy/hipaa/npp_fullpage_hc_provider.pdf  Sample Business Associates Agreement www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractpro v.html  Take Steps to Protect and Secure Information When Using a Mobile Device www.healthit.gov/sites/default/files/fact-sheet-take-steps-to-protect- information.pdf  Security Rule Educational Paper Series http://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html 37 KEYS TO HIPAA COMPLIANCE for Practice Managers
  38. 38. The key to wisdom is knowing all the right questions. --John Simone, Sr. --
  39. 39. Contact Information For additional Patient Safety information, please visit our Web site at: www.thedoctors.com Amy Wasdin, RN, MBA, CPHRM Patient Safety Risk Manager II, Southeast Department of Patient Safety and Risk Management 800-421-2368, ext 6728 Email: awasdin@thedoctors.com ---------------------------------------------------------------------------------------------------------------- Nelson Guzman, CIC, CRM President, CBIZ Trinity Southeast Regional Healthcare Director, CBIZ Insurance Services Mobile: 404-791-8822 Email: nguzman@cbiztrinity.com Evan Orvis, Sales Executive Mobile: 770-712-3903 Direct: 470-282-2536 Email: eorvis@cbiz.com Kathy Alba, CISR, CLCS Senior Account Manager Direct: 678-389-7858 Email: kalba@cbiz.com 39 KEYS TO HIPAA COMPLIANCE for Practice Managers
  40. 40. THANK YOU We relentlessly defend, protect, and reward the practice of good medicine.

×