Weitere ähnliche Inhalte Ähnlich wie PanoMed HIPAA Omnibus Compendium (20) Kürzlich hochgeladen (20) PanoMed HIPAA Omnibus Compendium1. REGULATORY COMPLIANCE SEMINAR SERIES
HIPAA OMNIBUS COMPENDIUM
Presenter:
Omar E. Vazquez, CHTS
Health IT & HIPAA Consultant
Panotech Consulting & Services Group
http://pr.linkedin.com/in/OmarVR
HIPAA OMNIBUS 2013
2. HIPAA OMNIBUS 2013
Disclaimer
© Panotech Consulting & Services Group 2013. All rights reserved.
The Fine Print
The material in this presentation has been prepared by Panotech Consulting & Services Group as an
educational tool that is general in nature and current as at the date of preparation. Information is given
in summary form and does not purport to be complete. It is not intended to be an exhaustive review of
the Health Insurance Portability and Accountability Act (HIPAA) and is not intended to provide legal
advice and/or to cover all laws that apply to your practice. Materials presented in this presentation
should not be considered a substitute for actual statutory or regulatory language. Always refer to the
current edition of a referenced statute, code, standard, guideline, regulation, and/or publication for
precise language. Panotech Group does not guarantee the accuracy of the data included in this
presentation and accepts no responsibility for any consequences of their use. If you need advice
regarding a specific legal or ethical matter, you are encouraged to consult with a competent attorney
who could provide you proper legal advice.
*Edit
The slides in this presentation were prepared as talking points. It is possible that key substantive
elements were delivered orally during presentation and are not present on the slides. Questions
regarding content should be directed to the author.
3. HIPAA OMNIBUS 2013
Content
© Panotech Consulting & Services Group 2013. All rights reserved.
1. Changes Introduced by the Omnibus Rule
2. Overview of Privacy and Security Requirements
3. Roadblocks to Compliance
4. How to Achieve Compliance
5. Q&A Session
4. HIPAA OMNIBUS 2013
What Is Changed?
© Panotech Consulting & Services Group 2013. All rights reserved.
Health Insurance Portability And Accountability Act - Timeline
● Enacted in 1996
● Amended in December 29 2000 to Include the Privacy Rule
● Amended in February 20, 2003 to include the Security Rule
● Amended in February 16, 2006 to include the Enforcement Rule
● Amended in August 24, 2009 to include HITECH Act provisions (Interim Final Rule)
● Amended in January 26, 2013 to incorporate the Omnibus provisions (Final Rule)
● September 23rd, 2013 – Final date for compliance with the Final Rule
5. HIPAA OMNIBUS 2013
What Is Changed?
© Panotech Consulting & Services Group 2013. All rights reserved.
What's The Final (Omnibus) Rule?
● Federal Register Vol. 78 No. 17 Part 2 - January 25, 2013
● Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification
Rules Under the Health Information Technology for Economic and Clinical Health Act
and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA
Rules.
6. HIPAA OMNIBUS 2013
What Is Changed?
© Panotech Consulting & Services Group 2013. All rights reserved.
Summary Of Changes Introduced By The Omnibus Rule
The omnibus final rule is comprised of the following four final rules:
1. Final modifications to the HIPAA Privacy, Security, and Enforcement Rules mandated by
the Health Information Technology for Economic and Clinical Health (HITECH) Act, and
certain other modifications to improve the Rules.
● Make business associates of covered entities directly liable for compliance with certain
of the HIPAA Privacy and Security Rules’ requirements.
● Strengthen the limitations on the use and disclosure of protected health information for
marketing and fund raising purposes, and prohibit the sale of protected health
information without individual authorization.
● Expand individuals’ rights to receive electronic copies of their health information and to
restrict disclosures to a health plan concerning treatment for which the individual has
paid out of pocket in full.
7. HIPAA OMNIBUS 2013
What Is Changed?
© Panotech Consulting & Services Group 2013. All rights reserved.
Summary Of Changes Introduced By The Omnibus Rule (cont.)
● Require modifications to, and redistribution of, a covered entity’s notice of privacy
practices.
● Modify the individual authorization and other requirements to facilitate research and
disclosure of child immunization proof to schools, and to enable access to decedent
information by family members or others.
● Adopt the additional HITECH Act enhancements to the Enforcement Rule not previously
adopted in the October 30, 2009, interim final rule, such as the provisions addressing
enforcement of noncompliance with the HIPAA Rules due to willful neglect.
8. HIPAA OMNIBUS 2013
What Is Changed?
© Panotech Consulting & Services Group 2013. All rights reserved.
Summary Of Changes Introduced By The Omnibus Rule (cont.)
2. Final rule adopting changes to the HIPAA Enforcement Rule to incorporate the increased
and tiered civil money penalty structure provided by the HITECH Act, originally published as
an interim final rule on October 30, 2009.
3. Final rule on Breach Notification for Unsecured Protected Health Information under the
HITECH Act, which replaces the breach notification rule’s ‘‘harm’’ threshold with a more
objective standard and supplants an interim final rule published on August 24, 2009.
4. Final rule modifying the HIPAA Privacy Rule as required by the Genetic Information
Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic
information for underwriting purposes, which was published as a proposed rule on October
7, 2009.
9. HIPAA OMNIBUS 2013
What Is HIPAA?
© Panotech Consulting & Services Group 2013. All rights reserved.
Health Insurance Portability & Accountability Act (HIPAA) Components
● Definitions
● General provisions
● Enforcement Rule
● Privacy Rule
● Security Rule
● Notification Rule
10. HIPAA OMNIBUS 2013
What Is HIPAA?
© Panotech Consulting & Services Group 2013. All rights reserved.
Important Definitions
● Covered Entity (C.E.) – Health plan, clearinghouse, or other person or organization who
furnishes, bills, or is paid for health care in the normal course of business and transmits
any health information in electronic form.
● Business Associate (B.A.) – Any individual or entity who creates, receives, maintains,
stores, or transmits protected health information (PHI) for, or on behalf of a covered
entity even if they do not actually view the protected health information; and/or where the
provision of the service involves the disclosure of protected health information. Is not
part of the covered entity's workforce.
● Disclosure – Means the release, transfer, provision of access to, or divulging in any
manner of information outside the entity holding the information.
● Protected Health Information (PHI) - Means individually identifiable health information
transmitted by electronic media, maintained in electronic media, and transmitted or
maintained in any other form or medium.
11. HIPAA OMNIBUS 2013
What Is HIPAA?
© Panotech Consulting & Services Group 2013. All rights reserved.
Important Definitions (cont.)
● Reasonable cause – Means an act or omission in which a covered entity or business
associate knew, or by exercising reasonable diligence would have known, that the act or
omission violated an administrative simplification provision, but in which the covered
entity or business associate did not act with willful neglect.
● Reasonable diligence – means the business care and prudence expected from a person
seeking to satisfy a legal requirement under similar circumstances.
● Willful neglect – means conscious, intentional failure or reckless indifference to the
obligation to comply with the administrative simplification provision violated.
● Breach – Means the acquisition, access, use, or disclosure of protected health
information in a manner which compromises the security or privacy of such information.
A breach is presumed unless the C.E. or B.A. demonstrates that there is a low
probability that the protected health information has been compromised (“Guilty until
proven innocent”).
12. HIPAA OMNIBUS 2013
What Is HIPAA?
© Panotech Consulting & Services Group 2013. All rights reserved.
Important Definitions (cont.)
● Unsecured Protected Health Information – means protected health information that is
not rendered unusable, unreadable, or indecipherable to unauthorized persons through
the use of a technology or methodology in compliance with the Security Rule.
● Marketing – A communication about a product or service that encourages recipients of
the communication to purchase or use the product or service.
13. HIPAA OMNIBUS 2013
What Is HIPAA?
© Panotech Consulting & Services Group 2013. All rights reserved.
Understanding HIPAA Rules and Provisions
● Policies – Provides guidance about expected behavior. Outline consequences when
they aren't met. HIPAA sets forth, and is based on policies
● Standards – Means a rule, condition, or requirement derived from policies. Deals with
specific aspects or issues. Provide enough detail that an audit can be performed to
determine if the standard is being met. HIPAA defines standards that must be met.
● Guidelines – Help implement and maintain standards by providing information on how to
accomplish the policies and maintain the standards. HIPAA does not include guidelines;
it sets forth Implementation Specifications that should be referenced from such entities
as the National Institute for Standards and Technology (NIST). For example, NIST
Special Publication 800-66.
14. HIPAA OMNIBUS 2013
What Is HIPAA?
© Panotech Consulting & Services Group 2013. All rights reserved.
Understanding HIPAA Rules and Provisions – Chain of Causality
Policies
Standards
Safeguards
Guidelines
Audits
HIPAA Implementation Specifications
e.g. NIST Guidelines, etc.
15. HIPAA OMNIBUS 2013
What Is Required?
© Panotech Consulting & Services Group 2013. All rights reserved.
The HIPAA Privacy Rule
1.Focuses on the safeguarding of individual's right to privacy.
2.The Privacy Rule establishes minimum Federal standards for protecting the privacy of
individually identifiable health information.
3.Applies to PHI in any form.
16. HIPAA OMNIBUS 2013
What Is Required?
© Panotech Consulting & Services Group 2013. All rights reserved.
The HIPAA Privacy Rule
The Privacy Rule regulates what information is protected, and how protected health
information can be used and disclosed.
● Covered entities must disclose PHI to the patient or personal representative within 30
days upon request.
● C.E. must disclose PHI when required to do so by law. (i.e. reporting suspected child
abuse to state child welfare agencies).
● A covered entity may disclose PHI to facilitate treatment, payment, or health care
operations (T.P.O.) without a patient's express written authorization.
● All other disclosures of PHI require the C.E. to obtain advanced written authorization
from the individual.
17. HIPAA OMNIBUS 2013
What Is Required?
© Panotech Consulting & Services Group 2013. All rights reserved.
The HIPAA Privacy Rule (cont.)
● Minimum necessary: When using or disclosing protected health information must make
reasonable efforts to limit protected health information to the absolute minimum
necessary to accomplish the intended purpose of the use, disclosure, or request.
● The Privacy Rule gives individuals the right to request that a C.E. correct any inaccurate
PHI
● Requires covered entities to take reasonable steps to ensure the confidentiality of
communications with individuals.
● Requires covered entities to notify individuals of uses of their PHI.
● C.E. must also keep track of disclosures of PHI and document privacy policies and
procedures.
18. HIPAA OMNIBUS 2013
What Is Required?
© Panotech Consulting & Services Group 2013. All rights reserved.
The HIPAA Privacy Rule (cont.)
● A Privacy Official must be appointed, responsible for receiving complaints and train all
members of the workforce in privacy and security procedures regarding PHI.
● An individual or employee who believes that the Privacy Rule is not being upheld can
file a complaint with the Department of Health and Human Services Office for Civil
Rights (OCR).
● A C.E. must comply with the requirements of the Privacy Rule with regard to the
protected health information of a deceased individual for a period of 50 years following
the date of death.
● C.E.s are permitted to disclose a decedent’s information to family members and others
who were involved in the care or payment for care of the decedent prior to death, unless
doing so is inconsistent with any prior expressed preference of the individual that is
known to the covered entity.
19. HIPAA OMNIBUS 2013
What Is Required?
© Panotech Consulting & Services Group 2013. All rights reserved.
The HIPAA Privacy Rule (cont.)
● Personal representatives: not the same as emergency contact.
● A contract between the covered entity and a business associate must establish the
permitted and required uses and disclosures of protected health information by the
business associate.
● A B.A. must use appropriate safeguards with respect to electronic protected health
information, to prevent use or disclosure of the information other than as provided for by
its contract.
● Special attention should be given to situations involving PHI related to emancipated and
unemancipated minors.
● PHI may be used and disclosed for research with an individual's written permission in
the form of an Authorization.
20. HIPAA OMNIBUS 2013
What Is Required?
© Panotech Consulting & Services Group 2013. All rights reserved.
The HIPAA Notification Rule
The Breach Notification Rule requires physicians and other covered entities to notify
patients, and the HHS if a breach of unsecured PHI occurs. If the breach involves more
than 500 individuals, the media should be notified too.
The Breach Notification Rule also requires physician practices and their B.A.s to
implement internal policies and procedures relating to breach notification.
21. HIPAA OMNIBUS 2013
What Is Required?
© Panotech Consulting & Services Group 2013. All rights reserved.
The HIPAA Security Rule
1.Focuses on the safeguarding of electronic protected health information (ePHI).
2.Created to protect the confidentiality, integrity, and availability of ePHI.
3.ePHI that a covered entity creates, receives, maintains, or transmits must be protected
against reasonably anticipated threats, hazards, and impermissible uses and/or
disclosures.
4.Requirements of the Security Rule were designed to be technology neutral and
scalable to all different sizes of covered entities and business associates. Intentionally
vague.
22. HIPAA OMNIBUS 2013
What Is Required?
© Panotech Consulting & Services Group 2013. All rights reserved.
The HIPAA Security Rule (cont.)
Key concepts:
1.Security – The practice of defending information from unauthorized access, use,
disclosure, disruption, modification, perusal, inspection, recording or destruction. Is the
degree of resistance to, or protection from, harm. It applies to any vulnerable and
valuable asset.
2.Confidentiality – Keeping private information secret, preventing the disclosure of
information to unauthorized individuals or systems.
3.Integrity - Maintaining and assuring the accuracy and consistency of data over its
entire life-cycle. Data cannot be modified in an unauthorized or undetected manner.
4.Availability – The information must be available when it is needed. This means that the
computing systems used to store and process the information, the security controls
used to protect it, and the communication channels used to access it must be
functioning correctly at all times.
23. HIPAA OMNIBUS 2013
What Is Required?
© Panotech Consulting & Services Group 2013. All rights reserved.
The HIPAA Security Rule (cont.)
Security Rule enumerate three types of safeguards:
1.Administrative – Focus on internal organization, policies, procedures, and
maintenance of security measures. Keep medical practice compliant and trained over
time, and ensure that it is conscious of the risks it faces.
2.Technical - Technical safeguards mean technology and the policy and procedures for
its use that protect electronic health information and control access to it.
3.Physical - Physical measures, policies, and procedures to protect a Covered Entity's
electronic information systems and related buildings and equipment, from natural and
environmental hazards, and unauthorized intrusion.
24. HIPAA OMNIBUS 2013
What Is Required?
© Panotech Consulting & Services Group 2013. All rights reserved.
The HIPAA Security Rule (cont.)
Safeguards include two categories of implementation specifications:
● Required (R) – Its implementation is always required without exception, no matter the
situation.
● Addressable (A) – Must be implemented if it's reasonable and appropriate, but does not
have to be implemented if there is an alternative that would accomplish the same
purpose, or the standard can be met without implementing the specification or an
alternative. “Addressable” does not mean “optional”. Nothing in HIPAA is optional! If
implementing the specification is not reasonable and appropriate, the reasons should be
properly documented and an alternative measure should be implemented if needed.
25. HIPAA OMNIBUS 2013
What Is Required?
© Panotech Consulting & Services Group 2013. All rights reserved.
The HIPAA Security Rule (cont.)
Administrative safeguards
1. Implement policies and procedures to prevent, detect, contain, and correct security
violations.
● (R) Conduct an accurate and thorough assessment of the potential risks and
vulnerabilities to the confidentiality, integrity, and availability of electronic protected
health information.
● (R) Implement security measures sufficient to reduce risks and vulnerabilities to a
reasonable and appropriate level.
● (R) Apply appropriate sanctions against workforce members who fail to comply with
the security policies and procedures of the covered entity or business associate.
● (R) Procedures to regularly review records of information system activity.
26. HIPAA OMNIBUS 2013
What Is Required?
© Panotech Consulting & Services Group 2013. All rights reserved.
The HIPAA Security Rule (cont.)
2. Implement policies and procedures to ensure that all members of its workforce have
appropriate access to electronic protected health information and to prevent those
workforce members who do not have access from obtaining access to electronic
protected health information.
● (A) Implement procedures for the authorization and/or supervision of workforce
members who work with electronic protected health information or in locations
where it might be accessed, and ensure that the access of a workforce member to
electronic protected health information is appropriate.
● (A) Implement procedures for terminating access to electronic protected health
information when the employment of, or other arrangement with, a workforce
member ends or as required.
27. HIPAA OMNIBUS 2013
What Is Required?
© Panotech Consulting & Services Group 2013. All rights reserved.
The HIPAA Security Rule (cont.)
3. Implement policies and procedures for authorizing access to electronic protected
health information that are consistent with the applicable requirements.
● (A) Implement policies and procedures for granting access to electronic protected
health information, for example, through access to a workstation, transaction,
program, process, or other mechanism.
● (A) Implement policies and procedures that, based upon the covered entity's or the
business associate's access authorization policies, establish, document, review,
and modify a user's right of access to a workstation, transaction, program, or
process.
4. Identify the security official who is responsible for the development and
implementation of the policies and procedures required.
28. HIPAA OMNIBUS 2013
What Is Required?
© Panotech Consulting & Services Group 2013. All rights reserved.
The HIPAA Security Rule (cont.)
5. Implement a security awareness and training program for all members of the
workforce, including physicians and management.
● (A) Periodic security updates and reminders.
● (A) Procedures for guarding against, detecting, and reporting malicious software.
● (A) Procedures for monitoring log-in attempts and reporting discrepancies.
● (A) Procedures for creating, changing, and safeguarding passwords.
6. Implement policies and procedures to address security incidents.
● (R) Identify and respond to suspected or known security incidents; mitigate,
harmful effects of security incidents that are known to the covered entity or business
associate; and document security incidents and their outcomes.
29. HIPAA OMNIBUS 2013
What Is Required?
© Panotech Consulting & Services Group 2013. All rights reserved.
The HIPAA Security Rule (cont.)
7. Establish (and implement as needed) policies and procedures for responding to an
emergency or other occurrence (i.e. fire, vandalism, system failure, natural disaster) that
damages systems that contain electronic protected health information.
● (R) Establish and implement procedures to create and maintain retrievable exact
copies of electronic protected health information. (i.e. back-up plan).
● (R) Establish (and implement as needed) procedures to restore any loss of data.
Disaster Recovery Plan.
● (R) Establish (and implement as needed) procedures to enable continuation of
critical business processes for protection of the security of electronic protected
health information while operating in emergency mode. Business Continuity Plan.
● (A) Implement procedures for periodic testing and revision of contingency plans;
and for the assessment of application and data criticality.
30. HIPAA OMNIBUS 2013
What Is Required?
© Panotech Consulting & Services Group 2013. All rights reserved.
The HIPAA Security Rule (cont.)
8. A covered entity may permit a business associate to create, receive, maintain, store,
or transmit electronic protected health information on the covered entity's behalf only if
the covered entity obtains satisfactory assurances, that the business associate will
appropriately safeguard the information.
● (R) Document the satisfactory assurances through a written contract or other
arrangement with the business associate that meets the applicable requirements.
9. Perform a periodic technical and nontechnical evaluation, based initially upon the
standards implemented under this rule and, subsequently, in response to environmental
or operational changes affecting the security of electronic protected health information,
that establishes the extent to which a covered entity's or business associate's security
policies and procedures meet the requirements of the Security Rule.
31. HIPAA OMNIBUS 2013
What Is Required?
© Panotech Consulting & Services Group 2013. All rights reserved.
The HIPAA Security Rule (cont.)
Physical safeguards
1. Implement policies and procedures that specify the proper functions to be performed,
the manner in which those functions are to be performed, and the physical attributes of
the surroundings of a specific workstation or class of workstation that can access
electronic protected health information.
2. Implement physical safeguards for all workstations that access electronic protected
health information, to restrict access to authorized users.
32. HIPAA OMNIBUS 2013
What Is Required?
© Panotech Consulting & Services Group 2013. All rights reserved.
The HIPAA Security Rule (cont.)
3. Implement policies and procedures to limit physical access to its electronic
information systems and the facility or facilities in which they are housed, while ensuring
that properly authorized access is allowed.
● (A) Establish procedures that allow facility access in support of restoration of lost
data under the disaster recovery plan and emergency mode operations plan in the
event of an emergency.
● (A) Implement policies and procedures to safeguard the facility and the equipment
therein from unauthorized physical access, tampering, and theft.
● (A) Implement procedures to control and validate a person's access to facilities
based on their role or function, including visitor control, and access to software.
● (A) Implement policies and procedures to document repairs and modifications to the
physical components of a facility which are related to security.
33. HIPAA OMNIBUS 2013
What Is Required?
© Panotech Consulting & Services Group 2013. All rights reserved.
The HIPAA Security Rule (cont.)
4. Implement policies and procedures that govern the receipt and removal of hardware
and electronic media that contain electronic protected health information into and out of
a facility, and the movement of these items within the facility.
● (R) Implement policies and procedures to address the final disposition of electronic
protected health information, and/or the hardware or electronic media on which it is
stored.
● (R) Implement procedures for removal of electronic protected health information
from electronic media before the media are made available for re-use.
● (A) Maintain a record of the movements of hardware and electronic media and any
person responsible therefore.
● (A) Create a retrievable, exact copy of electronic protected health information, when
needed, before movement of equipment.
34. HIPAA OMNIBUS 2013
What Is Required?
© Panotech Consulting & Services Group 2013. All rights reserved.
The HIPAA Security Rule (cont.)
Technical safeguards
1. Implement technical policies and procedures for electronic information systems that
maintain electronic protected health information to allow access only to those persons or
software programs that have been granted access rights.
● (R) Assign a unique name, username, and/or number for identifying and tracking
user identity.
● (R) Establish (and implement as needed) procedures for obtaining necessary
electronic protected health information during an emergency.
● (A) Implement electronic procedures that terminate an electronic session after a
predetermined time of inactivity.
● (A) Implement a mechanism to encrypelectronic protected health information.
35. HIPAA OMNIBUS 2013
What Is Required?
© Panotech Consulting & Services Group 2013. All rights reserved.
The HIPAA Security Rule (cont.)
2. Implement policies and procedures to protect electronic protected health information
from improper alteration or destruction.
● (A) Implement electronic mechanisms to corroborate that electronic protected
health information has not been altered or destroyed in an unauthorized manner.
3. Implement hardware, software, and/or procedural mechanisms that record and
examine activity in information systems that contain or use electronic protected health
Information.
4. Implement procedures to verify that a person or entity seeking access to electronic
protected health information is the one claimed. (Authentication)
36. HIPAA OMNIBUS 2013
What Is Required?
© Panotech Consulting & Services Group 2013. All rights reserved.
The HIPAA Security Rule (cont.)
5. Implement technical security measures to guard against unauthorized access to
electronic protected health information that is being transmitted over an electronic
communications network.
● (A) Implement security measures to ensure that electronically transmitted electronic
protected health information is not improperly modified without detection until
disposed of.
● (A) Implement a mechanism to encrypt electronic protected health information
whenever deemed appropriate.
37. HIPAA OMNIBUS 2013
What Is Required?
© Panotech Consulting & Services Group 2013. All rights reserved.
The HIPAA Security Rule (cont.)
General Requirements
1. Ensure the confidentiality, integrity, and availability of all electronic protected health
information the covered entity or business associate creates, receives, maintains,
stores, or transmits.
2. Protect against any reasonably anticipated threats or hazards to the security or
integrity of such information.
3. Ensure workforce compliance.
38. HIPAA OMNIBUS 2013
What Is Required?
© Panotech Consulting & Services Group 2013. All rights reserved.
The HIPAA Security Rule – The not so obvious
Are network firewalls required?
Firewalls are hardware and software devices that protect an organization’s network from
intruders, such as hackers or data thieves. When properly configured, firewalls deny
access to unauthorized users and applications, and they create audit trails or logs that
identify who accessed the network and when. Although HIPAA does not mention firewall
appliances, you should consider them as required since:
● In conjunction with workstation firewalls, they are considered a fundamental security
measure by NIST and other security standards.
● Idaho State University was fined $400,000 for violations of the HIPAA Security Rule
due to disabled firewall protections. OCR concluded that ISU did not apply proper
security measures and policies to address risks to electronic protected health
information (ePHI).
39. HIPAA OMNIBUS 2013
What Is Required?
© Panotech Consulting & Services Group 2013. All rights reserved.
The HIPAA Security Rule – The not so obvious (cont.)
Can you make use of free antivirus software?
Industry experts consider the following procedures as a minimum solution set to satisfy
both the spirit and intent of the 164.308(a)(5)(ii)(B) standard (Protection from malicious
software):
● Frequently update all operating systems with the latest updates and security patches
(weekly).
● Implement business-class anti-malware protection across all systems and
components — primarily anti-virus and anti-spam. Run updates and scans very
frequently (daily).
Most free anti-virus systems are actually not only ineffective, some are threats unto
themselves. The best solutions are those that are configured to deliver solutions over
the entire network, not on individual devices. Deploy a business-class security solution.
40. HIPAA OMNIBUS 2013
What Is Required?
© Panotech Consulting & Services Group 2013. All rights reserved.
The HIPAA Security Rule – The not so obvious (cont.)
What about Windows XP?
After April 8th, 2014 Windows XP will reach End-Of-Life and will no longer receive
security updates, leaving the network and workstations vulnerable to attack. Thus:
● You will not be able to “ensure the confidentiality, integrity, and availability of all
electronic protected health information”.
● You will not be protecting “against any reasonably anticipated threats or hazards to
the security or integrity of such information”.
After April 8th, 2014 the use of Windows XP will constitute a security breach due to
“willful neglect”. Upgrade to a Professional version of Windows 7, Windows 8, or
Mac OS X.
41. HIPAA OMNIBUS 2013
What Is Required?
© Panotech Consulting & Services Group 2013. All rights reserved.
The HIPAA Security Rule – The not so obvious
What kind of computers should you buy?
If you are replacing old machines or just buying new ones, go with warranty-backed
business-oriented OEM systems. Consider this:
● Consumer-grade computers are not designed to provide for security and business
continuity. They come with “Home” versions of Windows, creating licensing issues.
● There's no considerable difference in cost between consumer-grade and business-
grade computers.
● Business-grade computers, more often than not, come with components and features
that will enable you to comply with HIPAA rules more easily. Look for systems with an
integrated “Trusted Platform Module” (TPM).
42. HIPAA OMNIBUS 2013
What Is Required?
© Panotech Consulting & Services Group 2013. All rights reserved.
The HIPAA Security Rule – The not so obvious
Any other considerations?
● If using WiFi, WEP security and Wi-Fi Protected Setup (WPS) must not be used.
Security should be implemented with Wi-Fi Protected Access II (WPA2) or RADIUS.
● Contrary to popular belief, HIPAA does prohibit the use of email. You should select a
HIPAA compliant email service provider that can provide you with a B.A.A. (e.g. Office
365), and make use of it in accordance with the Security Rule and your organizational
policies. Same applies to electronic fax services.
● Encryption renders data unreadable. In the case of a burglary or any other similar
incident in which encrypted PHI is stolen or leaked, it will not constitute a security
breach. It is advisable to use disk encryption (e.g. Windows BitLocker) on all
workstations. Back-ups should also be encrypted.
43. HIPAA OMNIBUS 2013
How To Comply?
© Panotech Consulting & Services Group 2013. All rights reserved.
First things first...
What HIPAA is not
● A one-time kind of thing
● An ideal
● Organically achieved
● Optional
● Narrow scope (i.e. “A line in the
floor”)
● Detailed guidelines
44. HIPAA OMNIBUS 2013
How To Comply?
© Panotech Consulting & Services Group 2013. All rights reserved.
What HIPAA is
● A never-ending process
● An stringent federal regulation
● Achieved through pro-active management
● Obligatory
● Encompasses every aspect of the medical
practice
● Intentionally vague
First things first...
What HIPAA is not
● A one-time kind of thing
● An ideal
● Organically achieved
● Optional
● Narrow scope (i.e. “A line in the
floor”)
● Detailed guidelines
45. HIPAA OMNIBUS 2013
How To Comply?
© Panotech Consulting & Services Group 2013. All rights reserved.
● No follow-up
● Lack of IT and security backgrounds
● Lack of knowledge
Roadblocks to compliance
● Lack of corporate identity
● Wrong attitude towards
compliance
● Lack of commitment from
physicians and management
● Over-confidence
46. HIPAA OMNIBUS 2013
How To Comply?
© Panotech Consulting & Services Group 2013. All rights reserved.
The Process of Achieving Compliance - Management
HIPAA compliance is a continuous process that needs to be managed and improved over
time. The D.M.A.I.C. methodology is the standard:
Define – Establish the problem or need.
Measure – Perform a current-state assessment of
the medical practice. Compare it to the standards.
Analyze – Identify, validate, list, and prioritize
potential causes of the problem(s).
Improve – Identify, test, and implement a solution
following guidelines.
Control – Monitor and sustain the improvement.
47. HIPAA OMNIBUS 2013
How To Comply?
© Panotech Consulting & Services Group 2013. All rights reserved.
The Process of Achieving Compliance - Training
Periodic workforce training is critical for achieving and sustaining HIPAA compliance.
Improving privacy and security competence is a continuous four-stage process:
Unconscious Incompetence – “We don't know what we don't
know”. Unaware of the deficiency. Blissful ignorance before
learning begins.
Conscious Incompetence – “We know that we don't know”.
Overwhelming awareness of the deficiency. Learning
begins. Pivotal point.
Conscious Competence – “We know that we know”. Putting
learning into practice. Start gaining confidence. Heavy
conscious involvement and concentration.
Unconscious Competence – “We Don't Know that we
know”. Skill has become a habit and can be performed
without heavy conscious effort and with automatic ease.
48. HIPAA OMNIBUS 2013
How To Comply?
© Panotech Consulting & Services Group 2013. All rights reserved.
REMEMBER!
“What you don't know can (and will) hurt you”
Educate yourself about laws and regulations. Stay informed
about accepted best practices. Learn from others' mistakes.
“Ignorance is risk”
Perform risk assessments. Train your team periodically about
privacy, security, risks, company policies, goals, and
achievements.
“People need a cause”
Promote a culture of privacy and security. Team members
should feel committed and proud about protecting patients'
privacy and minimizing medical practice's risk.
“If it's not documented, it doesn't count”
Document everything! Keep records of policies, assessments,
disclosures, authorizations, training, devices, breaches, etc.
“Find strength in unity”
Don't try to do it all by yourself. Rely on the right Business
Associates to help you stay compliant and productive.
50. HIPAA OMNIBUS 2013
Resources
© Panotech Consulting & Services Group 2013. All rights reserved.
Omnibus Rule Compliant Forms
The Office for Civil Rights and Office (OCR) of the National Coordinator for Health
Information Technology (ONC) have collaborated to develop model Notices of Privacy
Practices for health care providers and health plans to use to communicate with their
patients and plan members. You can go to www.panomedpr.com/forms to learn more and
download copies of the model documents.
51. HIPAA OMNIBUS 2013
Resources
© Panotech Consulting & Services Group 2013. All rights reserved.
Guidance For Protecting ePHI
The HHS provides a reference to NIST guidances to render unsecured protected health
information (PHI) unusable, unreadable, or indecipherable to unauthorized individuals. You
can find the guidances at www.panomedpr.com/security .
52. HIPAA OMNIBUS 2013
Resources
© Panotech Consulting & Services Group 2013. All rights reserved.
HIPAA Compliant Email
Microsoft provides a secure and low-cost email service that meets HIPAA compliance
requirements and provides a Business Associate Agreement (BAA). You can go to
www.panomedpr.com/office to evaluate the service free-of-charge for 30 days and review
the HIPAA Business Associate Agreement when you sign up for the free trial.
53. HIPAA OMNIBUS 2013
Resources
© Panotech Consulting & Services Group 2013. All rights reserved.
Computer Security Alternatives
Microsoft also provides the anti-virus and anti-malware Forefront Endpoint Security system
as a low-cost monthly service through a Windows InTune subscription. It is intended for
medical practices without servers. You can go to www.panomedpr.com/intune to try the
service free-of-charge.
Kaspersky Total Space Security is a cost-effective security system, paid annually, that
provides ease of management and high performance. It is best suited for medical practices
with servers. You can go to www.panomedpr.com/kaspersky to try the service free-of-
charge.
54. HIPAA OMNIBUS 2013
Resources
© Panotech Consulting & Services Group 2013. All rights reserved.
HIPAA Compliant BackUp Service
Carbonite Business is a HIPAA compliant off-site backup service for workstations and
servers. It employs encryption and provides a Business Associate Agreement (BAA) to
medical practices. You can go to www.panomedpr.com/carbonite to try the service free-of-
charge for 30 days.
55. HIPAA OMNIBUS 2013
About Us
© Panotech Consulting & Services Group 2013. All rights reserved.
Who is AsisteMed?
AsisteMed Corp. is a team of physicians helping physicians implement and make the most
of their Electronic Health Record system (EHR) in a cost-effective and non-disruptive way,
while also streamlining the process of achieving Meaningful Use and qualifying for federal
incentives. AsisteMed Corp. provides hands-on and on-site consulting, training, and
assistance for medical practices of all sizes.
Contact and follow AsisteMed
info@asistemedpr.com
www.facebook.com/Asistemed
56. HIPAA OMNIBUS 2013
About Us
© Panotech Consulting & Services Group 2013. All rights reserved.
Who is PanoMED?
PanoMedTM
is Panotech Group's common-sense and vendor-neutral approach to health
information management, compliance, and technology for small and mid-sized medical
practices in Puerto Rico and the U.S. Virgin Islands. PanoMED's fiduciary duty is to enable
physicians to achieve a highly reliable, secure, and HIPAA compliant medical practice at the
lowest possible cost and risk; by providing the right combination of consulting, training, and
support in technology, privacy, and security matters.
Contact and follow PanoMED on your favorite social network
info@panomedpr.com
panomedpr.com/gplus
panomedpr.com/facebook
panomedpr.com/twitter
panomedpr.com/news