HIPAA For Assisted Living WALA iii

Similar documents
Putting It All Together:

Boerner Consulting, LLC Reinhart Boerner Van Deuren s.c.

HIPAA Security and Privacy Policies & Procedures

HIPAA FOR BROKERS. revised 10/17

HIPAA & Privacy Compliance Update

University of Wisconsin-Madison Policy and Procedure

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

Subject: University Information Technology Resource Security Policy: OUTDATED

Healthcare Privacy and Security:

Policy and Procedure: SDM Guidance for HIPAA Business Associates

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

HIPAA Federal Security Rule H I P A A

Steffanie Hall, RHIA HIM Director/Privacy Officer 1201 West 12 th Emporia, Kansas ext

HIPAA Security Manual

UTAH VALLEY UNIVERSITY Policies and Procedures

Data Processing Agreement

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

HIPAA Omnibus Notice of Privacy Practices

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer

HIPAA Privacy and Security. Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012

Integrating HIPAA into Your Managed Care Compliance Program

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

The University of British Columbia Board of Governors

HIPAA Security Checklist

HIPAA Security Checklist

The HIPAA Omnibus Rule

PRIVACY-SECURITY INCIDENT REPORT

Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?

Agenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

HIPAA-HITECH: Privacy & Security Updates for 2015

8 COMMON HIPAA COMPLIANCE ERRORS TO AVOID

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

University of Mississippi Medical Center Data Use Agreement Protected Health Information

Virtua Health, Inc. is a 501 (c) (3) non-profit corporation located in Marlton, New Jersey ( Virtua ).

Checklist: Credit Union Information Security and Privacy Policies

HIPAA Compliance Officer Training By HITECH Compliance Associates. Building a Culture of Compliance

HIPAA Compliance Checklist

BCN Telecom, Inc. Customer Proprietary Network Information Certification Accompanying Statement

Computer Security Incident Response Plan. Date of Approval: 23-FEB-2014

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

01.0 Policy Responsibilities and Oversight

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

HIPAA/HITECH Privacy & Security Checklist Assessment HIPAA PRIVACY RULE

IMPORTANT INSTRUCTIONS:

HIPAA/HITECH Act Update HCCA South Central Regional Annual Conference December 2, Looking Back at 2011

Government-issued identification numbers (e.g., tax identification numbers)

HIPAA Privacy, Security and Breach Notification 2017

EXHIBIT A. - HIPAA Security Assessment Template -

Lakeshore Technical College Official Policy

HIPAA Privacy, Security and Breach Notification 2018

MNsure Privacy Program Strategic Plan FY

HIPAA. Developed by The University of Texas at Dallas Callier Center for Communication Disorders

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

HIPAA Privacy and Security. Kate Wakefield, CISSP/MLS/MPA Information Security Analyst

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Privacy Rule.

SECURITY & PRIVACY DOCUMENTATION

PROCEDURE COMPREHENSIVE HEALTH SERVICES, INC

Data Backup and Contingency Planning Procedure

Virginia Commonwealth University School of Medicine Information Security Standard

The ABCs of HIPAA Security

The Relationship Between HIPAA Compliance and Business Associates

HIPAA Privacy and Security Training Program

2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY

Security and Privacy Governance Program Guidelines

Security and Privacy Breach Notification

HMIS (HOMELESS MANAGEMENT INFORMATION SYSTEM) SECURITY AWARENESS TRAINING. Created By:

WASHINGTON UNIVERSITY HIPAA Privacy Policy # 7. Appropriate Methods of Communicating Protected Health Information

Ferrous Metal Transfer Privacy Policy

Presented by: Jason C. Gavejian Morristown Office

Data Privacy Breach Policy and Procedure

The simplified guide to. HIPAA compliance

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

It applies to personal information for individuals that are external to us such as donors, clients and suppliers (you, your).

Document Cloud (including Adobe Sign) Additional Terms of Use. Last updated June 5, Replaces all prior versions.

RETINAL CONSULTANTS OF ARIZONA, LTD. HIPAA NOTICE OF PRIVACY PRACTICES. Our Responsibilities. Our Uses and Disclosures

3/24/2014. Agenda & Objectives. HIPAA Security Rule. Compliance Institute. Background and Regulatory Overlay. OCR Statistics/

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

LifeWays Operating Procedures

Automating Security Administration Are We There Yet? John Phelan, Ph.D. HIPAA Summit XIII September 26, 2006

Compliance & HIPAA Annual Education

UWTSD Group Data Protection Policy

Security and Privacy-Aware Cyber-Physical Systems: Legal Considerations. Christopher S. Yoo University of Pennsylvania July 12, 2018

Privacy Breach Policy

Request for Proposal HIPAA Security Risk and Vulnerability Assessment. May 1, First Choice Community Healthcare

Critical HIPAA Privacy & Security Crossover Areas

North Carolina Health Information Exchange Authority. User Access Policy for NC HealthConnex

Regulation P & GLBA Training

GDPR AMC SAAS AND HOSTED MODULES. UK version. AMC Consult A/S June 26, 2018 Version 1.10

BYOD (Bring Your Own Device): Employee-owned Technology in the Workplace

Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Pilot Audits

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE

Red Flags/Identity Theft Prevention Policy: Purpose

HIPAA Tips and Advice for Your. Medical Practice

When the Other Brother Steps Up: State Privacy Enforcement Actions

Transcription:

Table of Contents The Wisconsin Assisted Living Association... ix Mission... ix Vision... ix Values... ix Acknowledgments... ix Who Should Use This Manual... x How to Use This Manual... x Updates and Forms... xi Chapter 1: Heading Into HIPAA... 1 A Brief Overview of HIPAA... 3 Whose Information Is Private?... 3 Why HIPAA Matters to Your Assisted Living Community... 4 What Is the Deadline for Compliance?... 5 Should I Just Hire a Consultant to Do All This?... 5 But my billing service takes care of all that!... 5 What If HIPAA Doesn t Apply to Your Community?... 6 Have a COW, Man!... 6 A Note About Legal Counsel... 7 Essential HIPAA Terminology... 7 Federal vs. State Law: When in Doubt, Do It the Hard Way... 7 The Privacy Rule and the Security Rule... 9 The Privacy Rule... 9 The Security Rule... 10 A Note About HITECH... 10 HIPAA FOR MANAGERS... 11 Chapter 2: The Privacy Officer and the Security Officer... 13 The Privacy Officer... 15 Privacy Officer qualifications... 15 Privacy Officer responsibilities... 15 The Security Officer... 15 Security Officer qualifications... 15 Security Officer responsibilities... 16 Duties of the Privacy Officer and Security Officer... 16 Training... 16 Monitoring and Audits... 17 Complaints and Security Incidents... 17 Investigation and Enforcement... 17 HIPAA: Not Your Only Responsibility... 17 Contingency Plans and Mitigation... 18 Retaliatory Acts... 18 Performing a Risk Assessment... 18 Creating a Culture of Compliance... 19 Helping Family Members Understand... 20 Sample Privacy Officer Job Description... 21 Sample Security Officer Job Description... 23 HIPAA Reminder Poster... 25 Sample Letter Informing Residents and Families of HIPAA Restrictions... 27 iii

Chapter 3: Resident Records... 29 What the Resident Record Contains... 31 The Resident Privacy Flow Sheet... 33 Making Entries in the Resident Record... 34 Bumps in the Log... 34 Correcting Errors in the Resident Record... 35 Resident Privacy Flow Sheet... 37 List of Approved Forms... 39 Chapter 4: Who Has Access to Protected Health Information?... 41 Employee Access to PHI... 43 Business Associates Access to PHI... 43 Exceptions to Minimum Necessary Standards... 43 Minimum Necessary Standards... 45 Chapter 5: Disclosing PHI... 47 TPO Disclosures... 49 Special PHI... 49 Approved resident restrictions... 49 Required Disclosures... 50 Permitted Disclosures... 51 Authorized Disclosures... 52 Expiration and revocation of authorizations... 52 Resolving conflicts... 53 Redisclosures... 53 Special PHI... 54 Recommendations on redisclosures... 54 Request to Restrict PHI Uses or Disclosures Form... 55 Form Letter to Attorney in Response to Subpoena... 57 Authorization for Use or Disclosure of Information... 59 Chapter 6: Residents Rights... 61 Right to a Notice of Privacy Practices... 63 Creating a Notice of Privacy Practices... 63 Distribution of the NPP... 65 Amending the NPP... 65 Right to Request Certain Restrictions on the Use and Disclosure of PHI... 65 Right to Request Access to PHI... 66 Fees for Resident Copies of Their Records... 66 Monitored access... 67 Denying a request for access to PHI... 67 Residents review rights... 68 PHI held at another facility... 68 Right to Request an Amendment of PHI... 68 Denying a request to amend PHI... 69 Right to an Accounting of PHI Disclosures... 70 Acknowledgment of Receipt of Notice of Privacy Practices... 71 Documentation of Good Faith Efforts... 73 Resident Request to Access PHI Form... 75 Decision for Resident Request to Access PHI from Privacy Officer... 77 Decision by Clinical Staff Designee on Denial of Access... 79 iv

Resident Request to Amend PHI Form... 81 Decision Regarding Resident Request to Amend PHI... 83 Resident Request for Accounting of PHI Disclosures Form... 85 Accounting of PHI Disclosures Report Form... 87 Chapter 7: Business Associates... 89 Who Is a Business Associate?... 91 Exceptions to the Business Associate Agreement... 92 Roster of Business Associates... 92 Business Associates Obligations... 93 Business Associate Agreement... 93 Accounting of Disclosures... 93 Breaches... 93 Business Associate Roster... 95 Letter Notifying Business Associates of Their Obligations... 97 Sample Business Associate Agreement Provisions... 99 Data Breach Notice from Business Associate... 105 MAKING HIPAA HAPPEN... 107 Chapter 8: Safeguarding Protected Health Information (PHI)... 109 Access and Storage Controls... 111 Malicious software... 112 Security incidents and emergencies... 112 Tips for Creating Strong Passwords...112 Storage controls... 113 Removal and destruction of PHI... 113 Employee Safeguards... 113 Employee obligations... 113 Termination... 114 Communication Safeguards: Written Materials and Telephone Calls... 114 Resident directories... 114 Telephone calls... 114 Communication Safeguards: Fax... 115 Communication Safeguards: Email... 116 Communication Safeguards: Social Media... 117 Communication Safeguards: Texting... 118 Safeguards on Computers and Other Electronic Media... 118 Checkout/check in procedures... 119 Disposal... 119 Business Associate Safeguards... 119 Action Form... 121 Termination/PHI Access Keys/Passwords Checklist... 123 Fax Cover Sheet... 125 Personal Electronic Media Statement... 127 Chapter 9: Training... 129 HIPAA Training... 131 Other Resources... 132 A Note About HIPAA Training or Materials from Hired Contractors... 132 Be aware of misleading marketing claims... 132 HIPAA Training Quiz... 133 v

HIPAA Training Quiz Answers... 135 Acknowledgment of Completion of HIPAA Training... 137 HIPAA HICCUPS... 139 Chapter 10: Breaches... 141 What Does the Government Do to Ensure HIPAA Compliance?... 143 What Triggers a HIPAA Audit?... 143 What Does This Mean for My Assisted Living Community?... 143 What Is a Breach?... 144 What are some common ways breaches occur?... 144 What are the different types of HIPAA breach violations?... 144 Penalties for Breach Violations... 145 Your Responsibility to Report Breaches... 146 What is your responsibility in investigating an alleged breach?... 146 When to Notify Residents of Breach Violations... 147 How to Notify Residents of Breach Violations... 149 Timing... 149 Format... 149 Content... 149 Corrective Action Your Community Should Take After a HIPAA Breach... 149 Preparing for an OCR Investigation... 150 Sample Notification of Breach Violation Letter to Resident... 153 Other optional considerations:... 153 Chapter 11: Complaints... 155 How the OCR Responds to HIPAA Complaints... 157 How are Complaints Filed?... 158 Contact information for OCR Region V (Illinois, Indiana, Michigan, Minnesota, Ohio, Wisconsin)... 158 How Should You Respond to a Complaint?... 159 Chapter 12: Audits... 161 Who Gets Audited?... 163 What to Expect in the Event of an Audit... 165 Timeline... 165 Process... 165 How to Prepare for an Audit... 168 General Recommendations to Best Prepare to Respond to Breaches, Complaints, and Audits... 168 ADDITIONAL MATERIALS... 169 HIPAA for Assisted Living: Quick Reference Guide... 171 Glossary of HIPAA Related Terms... 177 Notes on Mental Health Records/Psychotherapy Notes... 183 Uses and disclosures of protected mental health information... 183 Individual rights granted by the privacy standard... 183 Enforcement and destruction of mental health records... 184 Note about psychotherapy notes... 185 Communicable Disease Records Under State Law... 187 vi

Drug and Alcohol Treatment Records... 189 Sample Disaster Recovery Plan... 195 Checklist for Determining Your HIPAA Compliance... 199 vii

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback