Integrating HIPAA into Your Managed Care Compliance Program

Similar documents
Policy and Procedure: SDM Guidance for HIPAA Business Associates

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

HIPAA Security Checklist

HIPAA Security Checklist

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Implementing an Audit Program for HIPAA Compliance

EXHIBIT A. - HIPAA Security Assessment Template -

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Putting It All Together:

HIPAA Security and Privacy Policies & Procedures

01.0 Policy Responsibilities and Oversight

The HIPAA Omnibus Rule

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

Boerner Consulting, LLC Reinhart Boerner Van Deuren s.c.

SECURITY & PRIVACY DOCUMENTATION

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

Security and Privacy Breach Notification

HIPAA For Assisted Living WALA iii

Employee Security Awareness Training Program

Red Flags/Identity Theft Prevention Policy: Purpose

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

These rules are subject to change periodically, so it s good to check back once in a while to make sure you re still compliant.

Virginia Commonwealth University School of Medicine Information Security Standard

HIPAA Federal Security Rule H I P A A

Healthcare Privacy and Security:

HIPAA Privacy and Security. Kate Wakefield, CISSP/MLS/MPA Information Security Analyst

HIPAA/HITECH Privacy & Security Checklist Assessment HIPAA PRIVACY RULE

Ohio Supercomputer Center

HIPAA-HITECH: Privacy & Security Updates for 2015

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

Checklist: Credit Union Information Security and Privacy Policies

HIPAA Compliance Checklist

HIPAA FOR BROKERS. revised 10/17

HIPAA Security Rule Policy Map

HIPAA Regulatory Compliance

Learning Management System - Privacy Policy

Regulation P & GLBA Training

DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE

Government-issued identification numbers (e.g., tax identification numbers)

Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices

Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Pilot Audits

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

Access to University Data Policy

The ABCs of HIPAA Security

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

Data Processing Agreement

Enterprise Income Verification (EIV) System User Access Authorization Form

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Oracle Data Cloud ( ODC ) Inbound Security Policies

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

3 rd Party Certification of Compliance with MA: 201 CMR 17.00

Data Backup and Contingency Planning Procedure

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

Information Security Policy

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

Morningstar ByAllAccounts Service Security & Privacy Overview

Data Processing Agreement for Oracle Cloud Services

HIPAA Security Manual

BYOD (Bring Your Own Device): Employee-owned Technology in the Workplace

Policy. Policy Information. Purpose. Scope. Background

Privacy & Information Security Protocol: Breach Notification & Mitigation

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

HIPAA Privacy and Security Training Program

Security and Privacy Governance Program Guidelines

COMMENTARY. Information JONES DAY

Overview of Presentation

A Checklist for Cybersecurity and Data Privacy Diligence in TMT Transactions

EU GDPR & ISO Integrated Documentation Toolkit integrated-documentation-toolkit

Health Care: Privacy & Security in a Digital Age

2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY

Terms and Conditions 01 January 2016

Breach Notification Remember State Law

The Common Controls Framework BY ADOBE

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

Cybersecurity in Higher Ed

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

Security Awareness Compliance Requirements. Updated: 11 October, 2017

Compliance With HIPAA Privacy Rule Before Security & Enforcement Rules are Final: Challenges in Practice

Internet, , Social Networking, Mobile Device, and Electronic Communication Policy

PTLGateway Data Breach Policy

Department of Public Health O F S A N F R A N C I S C O

Security Policies and Procedures Principles and Practices

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

Cyber Security Program

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

HIPAA & Privacy Compliance Update

for the Dental Industry


HIPAA/HITECH Act Update HCCA South Central Regional Annual Conference December 2, Looking Back at 2011

HIPAA 101: What All Doctors NEED To Know

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

[DATA SYSTEM]: Privacy and Security October 2013

Transcription:

Integrating HIPAA into Your Managed Care Compliance Program The First National HIPAA Summit October 16, 2000 Mark E. Lutes, Esq. Epstein Becker & Green, P.C. 1227 25th Street, N.W., Suite 700 Washington, DC 20037 (202) 861-1824 mlutes@ebglaw.com

Start With What You Have Evaluate how the new requirements can be incorporated into the existing corporate compliance program. Policies and procedures for compliance program could be enhanced to accommodate HIPAA & GLBA requirements. Assess where internal clients stand in comparison with the proposed rule; current accreditation standards, GLBA, NAIC model reg. etc.

Compliance Integration Seven Elements of a Corporate Compliance Program Policies and Procedures Assignment of Oversight Responsibilities Training and Education Lines of Communication Enforcement and Discipline Auditing and Monitoring Response and Corrective Action HIPAA Security Requirements Administrative Procedures Assigned Security & Privacy Responsibility Training and Education Report Procedures; Event Reporting Sanctions Internal Audit Response Procedures; Testing & Revision HIPAA Privacy Requirements Documentation of Policies and Procedures Designated Privacy Official Training Complaint Processing Sanctions Accounting for Disclosures Duty to Mitigate

Managed Care Risk Areas Compliance HIPAA Marketing and Enrollment Underutilization of Services Provider Relationships Reporting Obligations Confidentiality Integrity Availability

Hospital Risk Areas Billing and Coding Cost Reporting Stark/Anti-kickback Confidentiality Integrity Availability EMTALA

Policies and Procedures Security Policies & Procedures Documented, formal practices to manage the selection and execution of security measures to protect data, and to manage the conduct of personnel in relation to the protection of data All aspects/elements of HIPAA compliance: administrative, physical and technological safeguards Do not simply rely on your vendors Know all authoritative sources

Policies and Procedures Security Policies & Procedures, examples: Contingency Access and Authorization Encryption System Configuration Management Security Incident Handling Network Hook-Up Escalation Procedures for Security Incidents Third Party Network Connections Policy Training & Auditing

Policies and Procedures Privacy Policies & Procedures A covered entity must document its policies and procedures for complying with the applicable requirements Chain of Trust Agreements Use and Disclosure practices that are tailored to organization Minimum Necessary Guidelines Individual Rights Administrative Requirements Policy Modifications

Assignment of Oversight Responsibilities Security Documented assignment of security responsibility to an individual or an organization whose responsibilities include: The use of security measures to protect data; and The conduct of personnel in relation to protection of data Privacy The covered entity must designate a privacy official who is responsible for the development and implementation of the privacy policies and procedures for the entity.

Training and Education Security Awareness Training Periodic Security Reminders User education concerning virus protection Monitoring and reporting Password management Privacy Privacy Policies & Procedures All members of workforce Signed certification At least every 3 years and when policies change

Lines of Communication Security Formal, documented instructions for reporting security breaches, so that security violations are reported and handled promptly. Event reporting-- a network message indicating operational irregularities in physical elements of a network or a response to the occurrence of a specific task Privacy Health plans and providers must develop and implement procedures under which an individual may file a complaint alleging that the covered entity failed to comply Contact person Records of complaints and dispositions

Enforcement and Discipline Security Sanction Policies and Procedures that notify employees, agents, and contractors of (1) civil or criminal penalties for misuse or misappropriation of health information, and (2) that violations may result in notification to law enforcement officials and regulatory, accreditation, and licensure organizations Privacy A covered entity must develop and apply when appropriate sanctions against members of its workplace [and business partners] who fail to comply with the policies and procedures of the covered entity or the requirements of this subpart...

Auditing and Monitoring Security Applications & Data Critically Analysis In-house review of the records of system activity (logins, file accesses, security incidents) Physical safeguards testing and revision Security Testing Audit Trail Privacy Covered entities must be able to provide an accurate accounting of disclosures made by the entity as long as such information is maintained by the entity

Response and Corrective Action Security Response Procedures-- documented formal rules or instructions for actions to be taken as a result of a security incident report Privacy Duty to Mitigate-- A covered entity must have procedures for mitigating, to the extent practicable, any deleterious effect of a use or disclosure of protected health information in violation of the [regulations].

Getting Started Assess: Corporate E-Strategies IT structure Policies & Procedures Assign: Privacy and Security Task Forces Individual Responsibilities Develop: Information Flow Charts Policies & Procedures Job Descriptions IT Solutions

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback