SlideShare ist ein Scribd-Unternehmen logo

HIPAA and HITECH : What you need to know

Shred-it
Shred-it

This presentation discusses how to comply with HIPAA and HITECH privacy laws. Learn key terms such as Protected Health Information, the Privacy Rule and the Security Rule as well as major changes brought by HIPAA and HITECH.

TechnologieBusiness
1 von 25
Downloaden Sie, um offline zu lesen
HIPAA and HITECH What You Need to Know
Today's Presenters Andrew Lenardon, Director of National Accounts Indirect Solutions for North America at Shred-it Andrew Lenardon is the Director of National Accounts Indirect Solutions for North America at Shred-it International,Inc., where he brings over 15 years of sales and leadership experience. In his role, Lenardon leads a team of professionals in helping Healthcare and Enterprise client improve the security of how they handle confidential records and identify wasteful spending that can be shifted to priorities such as information security, compliance efforts and business efficiency. Lenardon has worked at Shred-it since 2006. A graduate from McMaster University, Lenardon holds a B.Sc. in Biochemistry and currently resides in Toronto, Canada. Chris Sheehan, Compliance Agent, Providence, Rhode Island Chris has a combined 17 years of experience in the Records Management & Information Security industries. In the past he has served on the Board of Directors and Vice President for ARMA (Association for Records Managers & Administrators). For the last five years Chris has worked with the Federal & State governments in implementing policies to assist with the prevention of Fraud and the protection of Identity. Certified in Mass Law with regard to Mass Reg 201 CMR 17:00 Chris conducts Compliance Training for clients and assists with developing their Written Information Security Plan (WISP). Chris conducts Information Sessions for a number of Colleges and Universities to future educate Administrators, faculty and the student body on information security and sustainability for saving the Environment. David Pinter, National Accounts Executive David began his career at Shred-it over 12 years ago. He has been assisting healthcare organizations with their compliance and document security efforts since 2003 when HIPAA was first launched. David is a member of Shred-it’s National Accounts Healthcare Team where he provides new business development support and consulting activities for customers in the Healthcare and Group Purchase Organization spaces. 2
Protecting Patient Privacy – how important is it? 3
What is HIPAA? • Health Insurance Portability and Accountability Act (HIPAA) HIPAA requires health care organizations to have and maintain safeguards to prevent intentional or unintentional use or disclosure of protected health information. • The Federal law that requires health care organizations to, “maintain reasonable and appropriate, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information.” • Specifically, the management of private information is detailed through the Privacy Rule and the Security Rule. Both rules are designed to protect an individual’s private and confidential information by standardizing the rules for how it is used, handled, stored, etc. 4
What is HITECH? • The Health Information Technology for Economic and Clinical Health (HITECH) Act includes rules that impact organizations that operate within HIPAA legislation. • It is in direct relation to HIPAA because it imposes standards on medical and healthcare organizations (business associates) in addition to those that are imposed by HIPAA (CE’s). It was part of the Reinvestment Act of 2009. • This act requires that all organizations in the medical field apply “meaningful use” of technology that demonstrates security efforts. This ensures that the confidentiality, integrity and availability of protected data is not compromised. 5
Major Changes Brought on by HITECH Since 2009 •Enforcement has become more proactive; meaning there are more penalties for smaller breaches and more parties. •Data that falls under the scope of protection is now grown to include other personal information beyond EPHI. •Stricter audits are now in practice. •Every consumer now has a right to own a copy of their PHI without paying a fee. •Business Associates are now required to comply with this act, not just Covered Entities. •There are now more restrictions on the use of protected health information for marketing purposes. 6
Key Terms • PHI and EPHI • Covered Entity and Business Associate • Security Rule and Privacy Rule • Common Control • Willful Neglect 7
PHI and EPHI PHI: Protected Health Information EPHI: PHI that has been converted in some way to electronic media 8
What is Considered PHI? • Medical records • Diagnosis of a certain condition • Procedure codes on claim forms • Claims data or information • Explanation of Benefits (EOB) • Pre-authorization forms • Crime reports • Coordination of benefit forms • Enrolment information and forms • Election forms • Reimbursement request forms • Records indicating payment • Claims denial and appeal information 9
Covered Entity and Business Associate Covered Entities (CE’s) include health care providers, health care clearinghouses, and health plans that electronically store, process or transmit electronic protected information (EPHI). Business Associates (BA’s) are parties that include any person or group that provides or facilitates for a covered entity in some way. 10
Privacy Rule & Security Rule • The Privacy Rule • Establishes national standards to protect individuals’ medical records and other personal health information • Applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically • Requires appropriate safeguards to protect the privacy of personal health information • Sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization • Gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections • The Security Rule • Establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity • Requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information 11
What is Common Control? •A situation where a covered entity has indirect or direct power or influence over another entity’s actions or policies. •It places the onus on the CE to ensure that the outside BA they contracted is taking the necessary safe guards and actions to protect the PHI of individuals. 12
What is Willful Neglect? • Defined as “A tendency to be negligent and uncaring” • In the context of HIPAA and HITECH the terms differs from case to case. • With regards to the health care industry, willful neglect is a failure to comply or perform certain necessary tasks that is either intentional or conscious. • HITECH brought in harsher penalties for willful neglect. 13
How do organizations and individuals comply? • Companies should explore the requirements of HIPAA Privacy and Security Rules. • Health care organizations must implement policies and procedures related to accessing information. • Business associates must adopt HIPAA-compliant practices. 14
Why is compliance important? Patient privacy is very important and people have the expectation that health care organizations keep their information secure and private. They expect that their information will be safe from breaches. Not only is compliance important for the patient’s sake, but for the company’s own interests as well. Not only is your reputation at risk of being damaged, but cases of willful neglect in HITECH can be vulnerable to a penalty of AT LEAST $50,000.00 per violation for a total of $1.5 million in a calendar year. Compliance is important on many levels regardless of the circumstances. 15
What happens if you don’t comply? There are different penalties put into place by HIPAA and HITECH depending on the circumstances and situation. Since HITECH came into the picture in 2009, the penalties have become harsher and less forgiving. 16
Security Breach A major insurance coverer in Tennessee had a massive breach in 2009 which affected over 1 million people. They settled in court as of this year with a settlement of $1.5 million •It involved the theft of 57 unencrypted computer hard-drives On those hard-drives were: •Members names •Social Security Numbers •Diagnosis Codes •Date of birth’s •Health plan ID numbers •The investigation showed a lack of and failure of implementation of an appropriate safe guards for information. Not only digital but physical safe guards are required by HIPAA/HITECH and were missing in this situation. •The Company spent almost $17 million attempting to rectify the situation 17
What are the Penalties? 18
If a person… They will be fined… Or face Imprisonment of… Causes, uses or Up to $50,000.00 1 Year obtains individually identifiable information Commits an offense Up to $100,000.00 5 Years under false pretences If a person Commits Up to $250,000.00 10 Years an offense with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm. 19
What are some ways that you can avoid a violation or a breach? Here are Some Tips for Best Practice… 20
Best Practices Stay informed Learn about HIPAA and HITECH and other privacy laws that impact your organization, and how to stay compliant. Establish a security Document the flow of confidential plan information in your workplace, and make sure that you have formal security policies in place. Educate and enforce Train your employees to understand and follow your information security policies. Update staff on a regular basis and post your policy and guidelines as frequent reminders. 21
Best Practices Limit access Only authorized personnel should handle confidential documents. Create a retention Determine which documents you must policy keep and for how long. Clearly mark a destruction date on all records in storage. Eliminate risk Introduce a Shred-All policy for all documents that are no longer needed, so that your employees do not have to decide what is – or isn’t – confidential. Secure destruction Partner with a knowledgeable industry leader that specializes in secure information destruction. 22
Who is Shred-it? • Shred-it specializes in providing a tailored information destruction service that allows businesses to comply with legislation and ensure that the client, employee and confidential business information is kept secure at all times. • Through our strict chain-of-custody processes, reliable on-time service and a global network of local service centers, Shred-it provides the most secure and efficient confidential information destruction service in the industry. 23
QUESTIONS? 24
Where can you find more information? Sources http://resource.shredit.com/LegislativeFactSheets http://www.healthcareinfosecurity.com/ http://www.hipaasurvivalguide.com/ http://www.hhs.gov/ http://www.datamountain.com/resources/hipaa- hitech-compliance/hipaa-hitech-faq/ 25

Empfohlen

Hitech Act
Hitech ActHitech Act
Hitech ActDeborah Obasogie
 
Hitech Act
Hitech ActHitech Act
Hitech ActISACA New England
 
US health care system overview 1
US health care system overview 1US health care system overview 1
US health care system overview 1nithinmohantk
 
Us Healthcare Presentation
Us Healthcare PresentationUs Healthcare Presentation
Us Healthcare Presentationesilbert
 
HIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of ComplianceHIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of ComplianceJay Hodes
 
HIPAA vs GDPR The How, What, and Why ?
HIPAA vs GDPR The How, What, and Why ? HIPAA vs GDPR The How, What, and Why ?
HIPAA vs GDPR The How, What, and Why ? Magda CHELLY, Ph.D, S-CISO, CISSP®
 
Powerpoint presentation on EHR
Powerpoint presentation on EHRPowerpoint presentation on EHR
Powerpoint presentation on EHRinformatics-jacqueline
 
HIPAA and How it Applies to You
HIPAA and How it Applies to YouHIPAA and How it Applies to You
HIPAA and How it Applies to YouWinston & Strawn LLP
 

Empfohlen

Hitech Act
Hitech ActHitech Act
Hitech ActDeborah Obasogie
 
Hitech Act
Hitech ActHitech Act
Hitech ActISACA New England
 
US health care system overview 1
US health care system overview 1US health care system overview 1
US health care system overview 1nithinmohantk
 
Us Healthcare Presentation
Us Healthcare PresentationUs Healthcare Presentation
Us Healthcare Presentationesilbert
 
HIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of ComplianceHIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of ComplianceJay Hodes
 
HIPAA vs GDPR The How, What, and Why ?
HIPAA vs GDPR The How, What, and Why ? HIPAA vs GDPR The How, What, and Why ?
HIPAA vs GDPR The How, What, and Why ? Magda CHELLY, Ph.D, S-CISO, CISSP®
 
Powerpoint presentation on EHR
Powerpoint presentation on EHRPowerpoint presentation on EHR
Powerpoint presentation on EHRinformatics-jacqueline
 
HIPAA and How it Applies to You
HIPAA and How it Applies to YouHIPAA and How it Applies to You
HIPAA and How it Applies to YouWinston & Strawn LLP
 
HIPPA Compliance
HIPPA ComplianceHIPPA Compliance
HIPPA Compliancedixibee
 
HIPAA AND INFORMATION TECHNOLOGY
HIPAA AND INFORMATION TECHNOLOGYHIPAA AND INFORMATION TECHNOLOGY
HIPAA AND INFORMATION TECHNOLOGYmariaradziminski
 
hitech act
hitech acthitech act
hitech actpadler01
 
Keys To HIPAA Compliance
Keys To HIPAA ComplianceKeys To HIPAA Compliance
Keys To HIPAA ComplianceCBIZ, Inc.
 
Overview on data privacy
Overview on data privacy Overview on data privacy
Overview on data privacy Amiit Keshav Naik
 
HIPAA
HIPAAHIPAA
HIPAAKarna *
 
HIPAA Compliance
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceManny Oliverez
 
Us Health System Ppt
Us Health System PptUs Health System Ppt
Us Health System Pptasadhu86
 
Future Trends in Healthcare
Future Trends in HealthcareFuture Trends in Healthcare
Future Trends in HealthcareFarhad Zargari
 
Electronic health record
Electronic health recordElectronic health record
Electronic health recordEhrecord79
 
Presentation hippa
Presentation hippaPresentation hippa
Presentation hippamaggie_Platt
 
Hipaa overview 073118
Hipaa overview 073118Hipaa overview 073118
Hipaa overview 073118robint2125
 
Data Management - a top Priority for Healthcare Practices
Data Management - a top Priority for Healthcare PracticesData Management - a top Priority for Healthcare Practices
Data Management - a top Priority for Healthcare PracticesData Dynamics Inc
 
HIPAA Privacy & Security
HIPAA Privacy & SecurityHIPAA Privacy & Security
HIPAA Privacy & SecurityNational Pharmacy Technician Association
 
PPACA presentation
PPACA presentationPPACA presentation
PPACA presentationHeather Miliman
 
HIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability ActHIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability ActHarshit Trivedi
 
Use of data analytics in health care
Use of data analytics in health careUse of data analytics in health care
Use of data analytics in health careAkanshabhushan
 
Public Health & information technology
Public Health & information technologyPublic Health & information technology
Public Health & information technologyShimaa Saied
 
HIPAA
HIPAAHIPAA
HIPAAbelziebub
 
Use of Electronic Health Record Data in Clinical Investigation Guidance for I...
Use of Electronic Health Record Data in Clinical Investigation Guidance for I...Use of Electronic Health Record Data in Clinical Investigation Guidance for I...
Use of Electronic Health Record Data in Clinical Investigation Guidance for I...Sungpil Han
 
HIPAA Audit Implementation
HIPAA Audit ImplementationHIPAA Audit Implementation
HIPAA Audit ImplementationValency Networks
 
The Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceThe Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceJim Anfield
 

Weitere ähnliche Inhalte

Was ist angesagt?

HIPPA Compliance
HIPPA ComplianceHIPPA Compliance
HIPPA Compliancedixibee
 
HIPAA AND INFORMATION TECHNOLOGY
HIPAA AND INFORMATION TECHNOLOGYHIPAA AND INFORMATION TECHNOLOGY
HIPAA AND INFORMATION TECHNOLOGYmariaradziminski
 
hitech act
hitech acthitech act
hitech actpadler01
 
Keys To HIPAA Compliance
Keys To HIPAA ComplianceKeys To HIPAA Compliance
Keys To HIPAA ComplianceCBIZ, Inc.
 
Us Health System Ppt
Us Health System PptUs Health System Ppt
Us Health System Pptasadhu86
 
Future Trends in Healthcare
Future Trends in HealthcareFuture Trends in Healthcare
Future Trends in HealthcareFarhad Zargari
 
Electronic health record
Electronic health recordElectronic health record
Electronic health recordEhrecord79
 
Presentation hippa
Presentation hippaPresentation hippa
Presentation hippamaggie_Platt
 
Hipaa overview 073118
Hipaa overview 073118Hipaa overview 073118
Hipaa overview 073118robint2125
 
Data Management - a top Priority for Healthcare Practices
Data Management - a top Priority for Healthcare PracticesData Management - a top Priority for Healthcare Practices
Data Management - a top Priority for Healthcare PracticesData Dynamics Inc
 
HIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability ActHIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability ActHarshit Trivedi
 
Use of data analytics in health care
Use of data analytics in health careUse of data analytics in health care
Use of data analytics in health careAkanshabhushan
 
Public Health & information technology
Public Health & information technologyPublic Health & information technology
Public Health & information technologyShimaa Saied
 
Use of Electronic Health Record Data in Clinical Investigation Guidance for I...
Use of Electronic Health Record Data in Clinical Investigation Guidance for I...Use of Electronic Health Record Data in Clinical Investigation Guidance for I...
Use of Electronic Health Record Data in Clinical Investigation Guidance for I...Sungpil Han
 

Was ist angesagt? (20)

HIPPA Compliance
HIPPA ComplianceHIPPA Compliance
HIPPA Compliance
 
HIPAA AND INFORMATION TECHNOLOGY
HIPAA AND INFORMATION TECHNOLOGYHIPAA AND INFORMATION TECHNOLOGY
HIPAA AND INFORMATION TECHNOLOGY
 
hitech act
hitech acthitech act
hitech act
 
Keys To HIPAA Compliance
Keys To HIPAA ComplianceKeys To HIPAA Compliance
Keys To HIPAA Compliance
 
Overview on data privacy
Overview on data privacy Overview on data privacy
Overview on data privacy
 
HIPAA
HIPAAHIPAA
HIPAA
 
HIPAA Compliance
HIPAA ComplianceHIPAA Compliance
HIPAA Compliance
 
Us Health System Ppt
Us Health System PptUs Health System Ppt
Us Health System Ppt
 
Future Trends in Healthcare
Future Trends in HealthcareFuture Trends in Healthcare
Future Trends in Healthcare
 
Electronic health record
Electronic health recordElectronic health record
Electronic health record
 
Presentation hippa
Presentation hippaPresentation hippa
Presentation hippa
 
Hipaa overview 073118
Hipaa overview 073118Hipaa overview 073118
Hipaa overview 073118
 
Data Management - a top Priority for Healthcare Practices
Data Management - a top Priority for Healthcare PracticesData Management - a top Priority for Healthcare Practices
Data Management - a top Priority for Healthcare Practices
 
HIPAA Privacy & Security
HIPAA Privacy & SecurityHIPAA Privacy & Security
HIPAA Privacy & Security
 
PPACA presentation
PPACA presentationPPACA presentation
PPACA presentation
 
HIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability ActHIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability Act
 
Use of data analytics in health care
Use of data analytics in health careUse of data analytics in health care
Use of data analytics in health care
 
Public Health & information technology
Public Health & information technologyPublic Health & information technology
Public Health & information technology
 
HIPAA
HIPAAHIPAA
HIPAA
 
Use of Electronic Health Record Data in Clinical Investigation Guidance for I...
Use of Electronic Health Record Data in Clinical Investigation Guidance for I...Use of Electronic Health Record Data in Clinical Investigation Guidance for I...
Use of Electronic Health Record Data in Clinical Investigation Guidance for I...
 

Ähnlich wie HIPAA and HITECH : What you need to know

HIPAA Audit Implementation
HIPAA Audit ImplementationHIPAA Audit Implementation
HIPAA Audit ImplementationValency Networks
 
The Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceThe Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceJim Anfield
 
HIPAA Panel Discussion
HIPAA Panel Discussion HIPAA Panel Discussion
HIPAA Panel Discussion Dan Wellisch
 
HIPAA and FDCPA Compliance for Process Servers
HIPAA and FDCPA Compliance for Process ServersHIPAA and FDCPA Compliance for Process Servers
HIPAA and FDCPA Compliance for Process ServersLawgical
 
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...Health IT Conference – iHT2
 
Health Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
Health Insurance Portability and Accountability Act (HIPPA) - KloudlearnHealth Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
Health Insurance Portability and Accountability Act (HIPPA) - KloudlearnKloudLearn
 
Hitech changes-to-hipaa
Hitech changes-to-hipaaHitech changes-to-hipaa
Hitech changes-to-hipaageeksikh
 
health insurance portability and accountability act.pptx
health insurance portability and accountability act.pptxhealth insurance portability and accountability act.pptx
health insurance portability and accountability act.pptxamartya2087
 
Mha690 brittany koenig week 1 assignment2
Mha690 brittany koenig week 1 assignment2Mha690 brittany koenig week 1 assignment2
Mha690 brittany koenig week 1 assignment2bkoenig2010
 
Mha690 brittany koenig week 1 assignment2
Mha690 brittany koenig week 1 assignment2Mha690 brittany koenig week 1 assignment2
Mha690 brittany koenig week 1 assignment2bkoenig2010
 
Knowing confidentiality
Knowing confidentialityKnowing confidentiality
Knowing confidentialityjessie66
 
Privacy & security training.pptx
Privacy & security training.pptxPrivacy & security training.pptx
Privacy & security training.pptxQmcleod
 
Privacy & security training.pptx
Privacy & security training.pptxPrivacy & security training.pptx
Privacy & security training.pptxQmcleod
 
Hipaa.ppt3
Hipaa.ppt3Hipaa.ppt3
Hipaa.ppt3akwei2
 
Hipaa.ppt5
Hipaa.ppt5Hipaa.ppt5
Hipaa.ppt5akwei2
 
Hipaa.ppt4
Hipaa.ppt4Hipaa.ppt4
Hipaa.ppt4akwei2
 
Hipaa.ppt6
Hipaa.ppt6Hipaa.ppt6
Hipaa.ppt6akwei2
 

Ähnlich wie HIPAA and HITECH : What you need to know (20)

HIPAA Audit Implementation
HIPAA Audit ImplementationHIPAA Audit Implementation
HIPAA Audit Implementation
 
The Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceThe Startup Path to HIPAA Compliance
The Startup Path to HIPAA Compliance
 
HIPAA Panel Discussion
HIPAA Panel Discussion HIPAA Panel Discussion
HIPAA Panel Discussion
 
Hipaa for business associates simple
Hipaa for business associates simpleHipaa for business associates simple
Hipaa for business associates simple
 
HIPAA and FDCPA Compliance for Process Servers
HIPAA and FDCPA Compliance for Process ServersHIPAA and FDCPA Compliance for Process Servers
HIPAA and FDCPA Compliance for Process Servers
 
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
 
Health Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
Health Insurance Portability and Accountability Act (HIPPA) - KloudlearnHealth Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
Health Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
 
Hitech changes-to-hipaa
Hitech changes-to-hipaaHitech changes-to-hipaa
Hitech changes-to-hipaa
 
health insurance portability and accountability act.pptx
health insurance portability and accountability act.pptxhealth insurance portability and accountability act.pptx
health insurance portability and accountability act.pptx
 
Mha690 brittany koenig week 1 assignment2
Mha690 brittany koenig week 1 assignment2Mha690 brittany koenig week 1 assignment2
Mha690 brittany koenig week 1 assignment2
 
Mha690 brittany koenig week 1 assignment2
Mha690 brittany koenig week 1 assignment2Mha690 brittany koenig week 1 assignment2
Mha690 brittany koenig week 1 assignment2
 
Knowing confidentiality
Knowing confidentialityKnowing confidentiality
Knowing confidentiality
 
Data Management Protection Acts
Data Management Protection ActsData Management Protection Acts
Data Management Protection Acts
 
Annual HIPAA Training
Annual HIPAA TrainingAnnual HIPAA Training
Annual HIPAA Training
 
Privacy & security training.pptx
Privacy & security training.pptxPrivacy & security training.pptx
Privacy & security training.pptx
 
Privacy & security training.pptx
Privacy & security training.pptxPrivacy & security training.pptx
Privacy & security training.pptx
 
Hipaa.ppt3
Hipaa.ppt3Hipaa.ppt3
Hipaa.ppt3
 
Hipaa.ppt5
Hipaa.ppt5Hipaa.ppt5
Hipaa.ppt5
 
Hipaa.ppt4
Hipaa.ppt4Hipaa.ppt4
Hipaa.ppt4
 
Hipaa.ppt6
Hipaa.ppt6Hipaa.ppt6
Hipaa.ppt6
 

Mehr von Shred-it

Lifecycle of a Document
Lifecycle of a Document Lifecycle of a Document
Lifecycle of a Document Shred-it
 
Recycling Shredded Paper
Recycling Shredded PaperRecycling Shredded Paper
Recycling Shredded PaperShred-it
 
Security Tracker 2012 - U.S.
Security Tracker 2012 - U.S.Security Tracker 2012 - U.S.
Security Tracker 2012 - U.S.Shred-it
 
Every Workplace Needs to Reduce Risk of Data Breaches – Including Government ...
Every Workplace Needs to Reduce Risk of Data Breaches – Including Government ...Every Workplace Needs to Reduce Risk of Data Breaches – Including Government ...
Every Workplace Needs to Reduce Risk of Data Breaches – Including Government ...Shred-it
 
50 Security Tips – Part 2
50 Security Tips – Part 250 Security Tips – Part 2
50 Security Tips – Part 2Shred-it
 
50 Security Tips – Part 1
50 Security Tips – Part 1 50 Security Tips – Part 1
50 Security Tips – Part 1 Shred-it
 
Your Employees and Information Security
Your Employees and Information SecurityYour Employees and Information Security
Your Employees and Information SecurityShred-it
 

Mehr von Shred-it (7)

Lifecycle of a Document
Lifecycle of a Document Lifecycle of a Document
Lifecycle of a Document
 
Recycling Shredded Paper
Recycling Shredded PaperRecycling Shredded Paper
Recycling Shredded Paper
 
Security Tracker 2012 - U.S.
Security Tracker 2012 - U.S.Security Tracker 2012 - U.S.
Security Tracker 2012 - U.S.
 
Every Workplace Needs to Reduce Risk of Data Breaches – Including Government ...
Every Workplace Needs to Reduce Risk of Data Breaches – Including Government ...Every Workplace Needs to Reduce Risk of Data Breaches – Including Government ...
Every Workplace Needs to Reduce Risk of Data Breaches – Including Government ...
 
50 Security Tips – Part 2
50 Security Tips – Part 250 Security Tips – Part 2
50 Security Tips – Part 2
 
50 Security Tips – Part 1
50 Security Tips – Part 1 50 Security Tips – Part 1
50 Security Tips – Part 1
 
Your Employees and Information Security
Your Employees and Information SecurityYour Employees and Information Security
Your Employees and Information Security
 

Kürzlich hochgeladen

Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCzechDreamin
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfFIDO Alliance
 
AI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekAI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekCzechDreamin
 
Buy Epson EcoTank L3210 Colour Printer Online.pptx
Buy Epson EcoTank L3210 Colour Printer Online.pptxBuy Epson EcoTank L3210 Colour Printer Online.pptx
Buy Epson EcoTank L3210 Colour Printer Online.pptxEasyPrinterHelp
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyJohn Staveley
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlPeter Udo Diehl
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfFIDO Alliance
 
Designing for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastDesigning for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastUXDXConf
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoTAnalytics
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureFemke de Vroome
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomCzechDreamin
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2DianaGray10
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxJennifer Lim
 
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Julian Hyde
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...FIDO Alliance
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityScyllaDB
 
Connecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKConnecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKUXDXConf
 
AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101vincent683379
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfFIDO Alliance
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxAbida Shariff
 

Kürzlich hochgeladen (20)

Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
AI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekAI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří Karpíšek
 
Buy Epson EcoTank L3210 Colour Printer Online.pptx
Buy Epson EcoTank L3210 Colour Printer Online.pptxBuy Epson EcoTank L3210 Colour Printer Online.pptx
Buy Epson EcoTank L3210 Colour Printer Online.pptx
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John Staveley
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
Designing for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastDesigning for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at Comcast
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty Secure
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
 
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
 
Connecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKConnecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAK
 
AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 

HIPAA and HITECH : What you need to know

  • 1. HIPAA and HITECH What You Need to Know
  • 2. Today's Presenters Andrew Lenardon, Director of National Accounts Indirect Solutions for North America at Shred-it Andrew Lenardon is the Director of National Accounts Indirect Solutions for North America at Shred-it International,Inc., where he brings over 15 years of sales and leadership experience. In his role, Lenardon leads a team of professionals in helping Healthcare and Enterprise client improve the security of how they handle confidential records and identify wasteful spending that can be shifted to priorities such as information security, compliance efforts and business efficiency. Lenardon has worked at Shred-it since 2006. A graduate from McMaster University, Lenardon holds a B.Sc. in Biochemistry and currently resides in Toronto, Canada. Chris Sheehan, Compliance Agent, Providence, Rhode Island Chris has a combined 17 years of experience in the Records Management & Information Security industries. In the past he has served on the Board of Directors and Vice President for ARMA (Association for Records Managers & Administrators). For the last five years Chris has worked with the Federal & State governments in implementing policies to assist with the prevention of Fraud and the protection of Identity. Certified in Mass Law with regard to Mass Reg 201 CMR 17:00 Chris conducts Compliance Training for clients and assists with developing their Written Information Security Plan (WISP). Chris conducts Information Sessions for a number of Colleges and Universities to future educate Administrators, faculty and the student body on information security and sustainability for saving the Environment. David Pinter, National Accounts Executive David began his career at Shred-it over 12 years ago. He has been assisting healthcare organizations with their compliance and document security efforts since 2003 when HIPAA was first launched. David is a member of Shred-it’s National Accounts Healthcare Team where he provides new business development support and consulting activities for customers in the Healthcare and Group Purchase Organization spaces. 2
  • 3. Protecting Patient Privacy – how important is it? 3
  • 4. What is HIPAA? • Health Insurance Portability and Accountability Act (HIPAA) HIPAA requires health care organizations to have and maintain safeguards to prevent intentional or unintentional use or disclosure of protected health information. • The Federal law that requires health care organizations to, “maintain reasonable and appropriate, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information.” • Specifically, the management of private information is detailed through the Privacy Rule and the Security Rule. Both rules are designed to protect an individual’s private and confidential information by standardizing the rules for how it is used, handled, stored, etc. 4
  • 5. What is HITECH? • The Health Information Technology for Economic and Clinical Health (HITECH) Act includes rules that impact organizations that operate within HIPAA legislation. • It is in direct relation to HIPAA because it imposes standards on medical and healthcare organizations (business associates) in addition to those that are imposed by HIPAA (CE’s). It was part of the Reinvestment Act of 2009. • This act requires that all organizations in the medical field apply “meaningful use” of technology that demonstrates security efforts. This ensures that the confidentiality, integrity and availability of protected data is not compromised. 5
  • 6. Major Changes Brought on by HITECH Since 2009 •Enforcement has become more proactive; meaning there are more penalties for smaller breaches and more parties. •Data that falls under the scope of protection is now grown to include other personal information beyond EPHI. •Stricter audits are now in practice. •Every consumer now has a right to own a copy of their PHI without paying a fee. •Business Associates are now required to comply with this act, not just Covered Entities. •There are now more restrictions on the use of protected health information for marketing purposes. 6
  • 7. Key Terms • PHI and EPHI • Covered Entity and Business Associate • Security Rule and Privacy Rule • Common Control • Willful Neglect 7
  • 8. PHI and EPHI PHI: Protected Health Information EPHI: PHI that has been converted in some way to electronic media 8
  • 9. What is Considered PHI? • Medical records • Diagnosis of a certain condition • Procedure codes on claim forms • Claims data or information • Explanation of Benefits (EOB) • Pre-authorization forms • Crime reports • Coordination of benefit forms • Enrolment information and forms • Election forms • Reimbursement request forms • Records indicating payment • Claims denial and appeal information 9
  • 10. Covered Entity and Business Associate Covered Entities (CE’s) include health care providers, health care clearinghouses, and health plans that electronically store, process or transmit electronic protected information (EPHI). Business Associates (BA’s) are parties that include any person or group that provides or facilitates for a covered entity in some way. 10
  • 11. Privacy Rule & Security Rule • The Privacy Rule • Establishes national standards to protect individuals’ medical records and other personal health information • Applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically • Requires appropriate safeguards to protect the privacy of personal health information • Sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization • Gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections • The Security Rule • Establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity • Requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information 11
  • 12. What is Common Control? •A situation where a covered entity has indirect or direct power or influence over another entity’s actions or policies. •It places the onus on the CE to ensure that the outside BA they contracted is taking the necessary safe guards and actions to protect the PHI of individuals. 12
  • 13. What is Willful Neglect? • Defined as “A tendency to be negligent and uncaring” • In the context of HIPAA and HITECH the terms differs from case to case. • With regards to the health care industry, willful neglect is a failure to comply or perform certain necessary tasks that is either intentional or conscious. • HITECH brought in harsher penalties for willful neglect. 13
  • 14. How do organizations and individuals comply? • Companies should explore the requirements of HIPAA Privacy and Security Rules. • Health care organizations must implement policies and procedures related to accessing information. • Business associates must adopt HIPAA-compliant practices. 14
  • 15. Why is compliance important? Patient privacy is very important and people have the expectation that health care organizations keep their information secure and private. They expect that their information will be safe from breaches. Not only is compliance important for the patient’s sake, but for the company’s own interests as well. Not only is your reputation at risk of being damaged, but cases of willful neglect in HITECH can be vulnerable to a penalty of AT LEAST $50,000.00 per violation for a total of $1.5 million in a calendar year. Compliance is important on many levels regardless of the circumstances. 15
  • 16. What happens if you don’t comply? There are different penalties put into place by HIPAA and HITECH depending on the circumstances and situation. Since HITECH came into the picture in 2009, the penalties have become harsher and less forgiving. 16
  • 17. Security Breach A major insurance coverer in Tennessee had a massive breach in 2009 which affected over 1 million people. They settled in court as of this year with a settlement of $1.5 million •It involved the theft of 57 unencrypted computer hard-drives On those hard-drives were: •Members names •Social Security Numbers •Diagnosis Codes •Date of birth’s •Health plan ID numbers •The investigation showed a lack of and failure of implementation of an appropriate safe guards for information. Not only digital but physical safe guards are required by HIPAA/HITECH and were missing in this situation. •The Company spent almost $17 million attempting to rectify the situation 17
  • 18. What are the Penalties? 18
  • 19. If a person… They will be fined… Or face Imprisonment of… Causes, uses or Up to $50,000.00 1 Year obtains individually identifiable information Commits an offense Up to $100,000.00 5 Years under false pretences If a person Commits Up to $250,000.00 10 Years an offense with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm. 19
  • 20. What are some ways that you can avoid a violation or a breach? Here are Some Tips for Best Practice… 20
  • 21. Best Practices Stay informed Learn about HIPAA and HITECH and other privacy laws that impact your organization, and how to stay compliant. Establish a security Document the flow of confidential plan information in your workplace, and make sure that you have formal security policies in place. Educate and enforce Train your employees to understand and follow your information security policies. Update staff on a regular basis and post your policy and guidelines as frequent reminders. 21
  • 22. Best Practices Limit access Only authorized personnel should handle confidential documents. Create a retention Determine which documents you must policy keep and for how long. Clearly mark a destruction date on all records in storage. Eliminate risk Introduce a Shred-All policy for all documents that are no longer needed, so that your employees do not have to decide what is – or isn’t – confidential. Secure destruction Partner with a knowledgeable industry leader that specializes in secure information destruction. 22
  • 23. Who is Shred-it? • Shred-it specializes in providing a tailored information destruction service that allows businesses to comply with legislation and ensure that the client, employee and confidential business information is kept secure at all times. • Through our strict chain-of-custody processes, reliable on-time service and a global network of local service centers, Shred-it provides the most secure and efficient confidential information destruction service in the industry. 23
  • 25. Where can you find more information? Sources http://resource.shredit.com/LegislativeFactSheets http://www.healthcareinfosecurity.com/ http://www.hipaasurvivalguide.com/ http://www.hhs.gov/ http://www.datamountain.com/resources/hipaa- hitech-compliance/hipaa-hitech-faq/ 25