HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

Similar documents
Putting It All Together:

Policy and Procedure: SDM Guidance for HIPAA Business Associates

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

HIPAA Federal Security Rule H I P A A

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

HIPAA-HITECH: Privacy & Security Updates for 2015

The HIPAA Omnibus Rule

HIPAA Privacy, Security and Breach Notification

HIPAA FOR BROKERS. revised 10/17

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance


David C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017

HIPAA & Privacy Compliance Update

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

HIPAA Security and Privacy Policies & Procedures

Security and Privacy Breach Notification

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

Technology Workshop HIPAA Security Risk Assessment: What s Next? January 9, 2014

The Relationship Between HIPAA Compliance and Business Associates

HIPAA ( ) HIPAA 2017 Compliancy Group, LLC

HIPAA For Assisted Living WALA iii

HIPAA/HITECH Act Update HCCA South Central Regional Annual Conference December 2, Looking Back at 2011

HIPAA and HIPAA Compliance with PHI/PII in Research

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

HIPAA Audit Don t just bet the odds Good luck is a residue of preparation. Jack Youngblood

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer

8 COMMON HIPAA COMPLIANCE ERRORS TO AVOID

Agenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute

Data Backup and Contingency Planning Procedure

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

HIPAA UPDATE. Michael L. Brody, DPM

University of Wisconsin-Madison Policy and Procedure

All Aboard the HIPAA Omnibus An Auditor s Perspective

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

HIPAA Privacy and Security. Kate Wakefield, CISSP/MLS/MPA Information Security Analyst

Incident Response: Are You Ready?

(c) Apgar & Associates, LLC

HIPAA Compliance Officer Training By HITECH Compliance Associates. Building a Culture of Compliance

HIPAA Faux Pas. Lauren Gluck Physician s Computer Company User s Conference 2016

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

Sample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited.

3/24/2014. Agenda & Objectives. HIPAA Security Rule. Compliance Institute. Background and Regulatory Overlay. OCR Statistics/

Federal Breach Notification Decision Tree and Tools

Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Pilot Audits

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

Hospital Council of Western Pennsylvania. June 21, 2012

HIPAA Privacy & Security Training. HIPAA The Health Insurance Portability and Accountability Act of 1996

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

HIPAA. Developed by The University of Texas at Dallas Callier Center for Communication Disorders

CYBERSECURITY. Recent OCR Actions & Cyber Awareness Newsletters. Claire C. Rosston

HIPAA Security. An Ounce of Prevention is Worth a Pound of Cure

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

HIPAA Privacy and Security. Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012

HIPAA Privacy, Security and Breach Notification 2017

HIPAA Privacy and Security Training Program

Healthcare Privacy and Security:

Privacy Breach Policy

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

PRIVACY-SECURITY INCIDENT REPORT

The ABCs of HIPAA Security

DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Privacy Rule.

EXHIBIT A. - HIPAA Security Assessment Template -

HIPAA 101: What All Doctors NEED To Know

HIPAA Security Manual

HIPAA Tips and Advice for Your. Medical Practice

Securing IT Infrastructure Improve information exchange and comply with HIPAA, HITECH, and ACA mandates

HIPAA & HITECH Training 2018

Audits Accounting of disclosures

HIPAA COMPLIANCE AND

View the Replay on YouTube

by Robert Hudock and Patricia Wagner April 2009 Introduction

HIPAA Security Rule Policy Map

HIPAA Privacy, Security and Breach Notification 2018

DON T GET STUNG BY A BREACH! WHAT'S NEW IN HIPAA PRIVACY AND SECURITY

Breach Notification Remember State Law

Security Lessons Learned from HIPAA Enforcement

Regulation P & GLBA Training

Request for Proposal HIPAA Security Risk and Vulnerability Assessment. May 1, First Choice Community Healthcare

Data Compromise Notice Procedure Summary and Guide

COMMENTARY. Information JONES DAY

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

HIPAA Privacy, Security Lessons from 2016 and What's Next in 2017

Cyber Security Issues

HIPAA Compliance Checklist

Employee Security Awareness Training Program

Critical HIPAA Privacy & Security Crossover Areas

Compliance & HIPAA Annual Education

efolder White Paper: HIPAA Compliance

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Abbie Miller, MCS-P. Ongoing Internal Auditing. Documentation Reviews 5/16/2015.

Transcription:

HIPAA How to Comply with Limited Time & Resources Jonathan Pantenburg, MHA, Senior Consultant JPantenburg@Stroudwater.com August 17, 2017

Stroudwater Associates is a leading national healthcare consulting firm serving healthcare clients exclusively. We focus on strategic, operational, and financial areas where our perspective offers the highest value and are proud of our 32-year track record with rural hospitals, community hospitals, healthcare systems, and large physician groups. 2

Presenter Bio JONATHAN R. PANTENBURG, MHA Senior Consultant Jonathan joined Stroudwater in 2016, and brings to the firm a strong record of leadership in rural healthcare. A highly accomplished, results-driven senior executive, Jonathan has more than 12 years of progressively responsible experience advising profit, non-profit, and governmental entities through complex issues including cost reduction, acquisitions, contracts, financial analysis, and operations. Representative Accomplishments Improving performance through strategic, financial, and operational engagements Assessing the financial feasibility of CAHs and STAC facilities accessing significant capital through HUD, USDA, municipal bonds, and or other lending mechanisms Health system redevelopment: collaborating with hospitals, health systems, and networks to determine optimal clinical and operational integration strategies Assessing the financial feasibility and net benefits of system integration for primary care practices, CAHs, and short-term acute care facilities 3

We assist healthcare organizations and business associates develop and implement practices to secure patient data, and comply with HIPAA/HITECH regulations and Meaningful Use (MU) EHR incentive programs. http://www.ehr20.com/ 4

Disclaimer This webinar has been provided for education and information purposes only and is not intended and should not be construed to constitute legal advice nor does this presentation cover every aspect of the Privacy and Security Rules Please consult your attorney(s) in connection with any fact-specific situation under federal law and applicable state or local laws that may impose additional obligations on you and your company 5

Overview Overview HIPAA Compliance Privacy Rule Security Rule Breach / Notification HIPAA Violations and Enforcement Steps Towards HIPAA Compliance 6

Common Terms PHI: Protected Health Information NPP: Notice of Privacy Practices HHS: Health and Human Services PHI NPP HHS OCR: Office for Civil Rights Acronyms HITECH: Health Information Technology for Economic and Clinical Health HIPAA HITECH OCR HIPAA: Health Insurance Portability and Accountability Act Anyone who is not handling patients directly 7

What is HIPAA The Health Insurance Portability and Accountability Act of 1996 (HIPAA) made significant changes to healthcare in the following areas: 1 Health Insurance Reform 2 Administrative Simplification 3 Tax Related Health Provisions 4 Group Health Plan Requirements 5 Revenue Offsets The goal of HIPAA was to: Require the protection and confidential handling of PHI Reduce health care fraud and abuse Set industry-wide standards for health care information on electronic billing, etc. Allow individuals to transfer health insurance coverage 8

Why Comply With HIPAA HIPAA compliance is not an option and is required by law Failure to comply with HIPAA requirements could lead to the following: Personal risk including penalties and sanctions Organizational risk including financial penalties and reputational harm We are entrusted by our patients to preserve and protect the privacy of sensitive and personal information 9

HIPAA COMPLIANCE Overview Definitions / Regulations Cost Reports Opportunities 10

HIPAA Compliance Overview Privacy Confidentiality of PHI Permitted Uses Patient Rights Security Protection of ephi Breach Notification 11

Changes to HIPAA The Health Information Technology for Economic and Clinical Health Act (HITECH), which was a part of the American Recovery and Reinvestment Act (ARRA) of 2009, widened the scope of privacy and security protections available under HIPAA Specifically, ARRA/HITECH impacted the following areas with regard to HIPAA: Business Associates and Business Associate Agreements Enforcement Notification of Breach Electronic Health Record Access 12

What is Protected Protected Health Information (PHI) is all individually identifiable health information created, held, and or transmitted by a covered entity or its business associate, including demographic data, that relates to: The individual s past, present or future physical or mental health or condition The provision of healthcare to the individual, or The past, present, or future payment for the provision of healthcare to an individual PHI also includes any information that identifies an individual or could be used through a reasonable basis to identify an individual 13

Patient Identifier Examples Names Medical Record Numbers Patient Identifiers Social Security Numbers Account/Medical Record Numbers Health Plan Numbers Home Address Date of Birth 14

PHI Uses and Disclosures Uses When an organization reviews or uses PHI internally This includes, but is not limited to: audits, trainings, quality improvement, and customer service Disclosures When an organization releases or provides PHI to someone or another organization This includes, but is not limited to: attorneys, patients, other providers, and business associates 15

Minimum Necessary Regardless of use or disclosure, healthcare organizations must apply the Minimum Necessary principle for PHI The Minimum Necessary principle states organizations must use and or disclose/release only the minimum necessary information to accomplish the intended purpose of the use, disclosure, or request Use Request: Identify those who need access to PHI Restrict access on a need-to-know basis Continue to monitor access to PHI Disclosure Request: When releasing information, limit PHI to no more than what is need to accomplish the purpose for which the request is made 16

Patient Rights HIPAA grants patients the following rights: Access to patient health information An expectation that healthcare organizations will protect their health information Notice of Privacy Practices and Reminders This summarizes how an organization will use and disclose PHI The right to alternative communication methods The right to individual privacy The right to file complaints 17

Security Rule Application Administrative Safeguards Organizations are required to have policies and procedures for employees to maintain security (e.g. disaster, internet and e-mail use) Technical Safeguards System-driven technical safeguards Assignment of different levels of access Automatic screen savers Email encryption Physical Safeguards Must have physical barriers and devices: Lock doors to medical records Restricted access to facility Restricted access to servers and computers 18

Breach Notification When an organization suspects a breach, the organization must conduct a risk assessment which includes at least the following four factors: The nature and extent of the PHI involved, including types of identifiers and the likelihood of re-identification; The unauthorized person who used the PHI or to whom the disclosure was made; Whether the PHI was actually acquired or viewed; and The extent to which the risk to the PHI has been mitigated 19

Business Associate Agreements A business associate is a person or entity who performs functions, activities, and or services to a covered entity that involves access to PHI, who is not a member/employee of the covered entity A Business Associate Agreement (BAA) is a contract between the covered entity and the business associate that: Establishes permitted use and disclosure of PHI Requires subcontractors to meet HIPAA compliance Ensures appropriate safeguards to PHI Report breaches of information Ensure compliance to the HIPAA Privacy Rule Defines the destruction of PHI Authorizes the termination of the contract 20

HIPAA VIOLATIONS AND COMPLAINTS Overview Definitions / Regulations Cost Reports Opportunities 21

HIPAA Violations & Enforcement The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules in several ways: Investigating filed complaints Conducting compliance reviews Performing education and outreach OCR attempts to resolve HIPAA violations through the following methods: Voluntary compliance Corrective action and/or Resolution agreement 22

HIPAA Violations & Enforcement HIPAA Privacy & Security Rule Complaint Process COMPLAINT POSSIBLE CRIMINAL VIOLATION DOJ DOJ declines case & refers back to OCR ACCEPTED BY DOJ INTAKE & REVIEW POSSIBLE PRIVACY OR SECURITY RULE VIOLATION INVESTIGATION RESOLUTION OCR finds on violation RESOLUTION OCR obtains voluntary compliance, corrective action, or other agreement The violation did not occur after April 14, 2013 Entity is not covered by the Privacy Rule OCR issues formal finding of violation Complaint was not filed within 180 days and an extension not granted The incident described in the complaint does not violate the Privacy Rule Source: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/enforcement-process/index.html 23

HIPAA Violations & Enforcement Failure to comply with HIPAA requirements can lead to the following civil and criminal penalties: CIVIL PENALITIES Violation category Minimum Penalty Maximum Penalty Did Not Know $100 $50,000 Reasonable Cause $1,000 $50,000 Willful Neglect-Corrected $10,000 $50,000 Willful Neglect-Not Corrected 50,000 CRIMINAL PENALTIES $50,000 per violation with an annual maximum of $1.5 million $50,000 fine and 1 year prison for knowingly obtaining and wrongfully sharing information $100,000 fine and 5 years prison for obtaining and disclosing through false pretenses $250,000 fine and 10 years prison for obtaining and disclosing for commercial advantage, personal gain, or malicious harm 24

Common HIPAA Violations The following are examples of the most common HIPAA violations: 1. Lost or Stolen Devices Example: An unencrypted laptop containing ephi was left in an unsecured location and available to the public 2. Hacking Settlements: In November 2015, an entity paid $850K to settle potential violations of the HIPAA Act when an unencrypted laptop was stolen Example: An employee downloaded a file that included malware which gave an unauthorized user access to PHI Settlements: In November 2016, an entity paid $650K to settle potential violations of the HIPAA Act due to malware infected computer which may have resulted in the release of PHI 25

Common HIPAA Violations The following are examples of the most common HIPAA violations (continued): 3. Unauthorized Employee Access Example: An employee accesses the health record of a family member, without authorization, to check their health status Settlements: In February 2017, an entity paid $5.5M to settle potential violations of the HIPAA Act when employees inappropriately accessed patient names, DOBs, and SS#s 4. Improper Disposal Example: A clinic purchases new desktop computers and does not delete ephi before disposing of the old equipment Settlements: In June 2010, an entity paid $1.0M to settle potential violations of the HIPAA Act for failure to properly dispose of PHI 26

Common HIPAA Violations The following are examples of the most common HIPAA violations (continued): 5. Third-Party Disclosure Example: A covered entity discloses PHI to another entity without executing a BAA Settlements: In April 2016, an entity paid $750K to settle potential violations of the HIPAA Act for failure to execute a BAA prior to sending PHI 6. Unauthorized Release Example: An organization sends a patient s lab results to the wrong fax number Settlements: In May 2017, an entity paid $387K to settle potential violations of the HIPAA Act when the entity faxed PHI to a patient s employer 27

Common HIPAA Violations The following are examples of the most common HIPAA violations (continued): 7. Risk Assessments Example: An entity does not periodically assess the risk associated with maintaining HIPAA compliance Settlements: In 2015, an entity paid $750K to settle potential violations of the HIPAA Act by failing to conduct an accurate and through assessment of the potential risk and vulnerabilities 8. Unsecured Records Example: A file cabinet containing patient medical records is left unlocked and accessible in a public area Settlements: In 2014, an entity paid $800K to settle potential violations of the HIPAA Act for failure to ensure the security of PHI when transferring medical records to another location 28

Steps Towards HIPAA Compliance Overview Definitions / Regulations Cost Reports Opportunities 29

Steps Towards HIPAA Compliance 1 2 3 4 5 6 Form HIPAA Compliance Committee and Designate Security Officer Conduct Thorough Risk Assessment to Evaluate Current State Implement HIPAA Policies and Procedures and Mitigate Risk Train Staff and Validate Systems Conduct Annual Risk Assessment Update Systems and Mitigate Risk 30

Steps Towards HIPAA Compliance Step 1: Form HIPAA Compliance Committee and Designate Security Officer HIPAA compliance cannot be maintained by a single individual and will require multiple people Security Officer Responsibilities Include: Develop and revise HIPAA policies and procedures Internal resource for HIPAA compliance and PHI questions Ensure completion of security audits and risk assessments Monitor compliance with security laws Develop appropriate security training Investigate system security breaches 1 31

Steps Towards HIPAA Compliance Step 2: Conduct Thorough Risk Assessment to Evaluate Current State A thorough risk assessment will allow the organization to evaluate the following: Policies and Procedures Data Collection Identify and document potential threats and vulnerabilities Determine the likelihood of threat occurrence Determine the potential impact of threat occurrence Determine the level of risk Assess current security measures 2 32

Steps Towards HIPAA Compliance Step 3: Implement HIPAA Policies and Procedures and Mitigate Current risk HIPAA Policies and Procedures After the risk assessment, policies and procedures should be updated or established as necessary to meet HIPAA requirements Policies and procedures should be updated at a minimum on an annual basis Mitigate Potential Risk Review risk assessment and make necessary changes to systems A comprehensive risk assessment will inform the entity of items needing resolution to meet compliance requirements 3 33

Steps Towards HIPAA Compliance Step 4: Train Staff and Validate Systems Train Staff Healthcare organizations should ensure all staff who come into contact with PHI receive training when hired and then on an annual basis Validate Systems The Security Officer should work with IT and other staff as necessary to validate systems This includes ensuring systems meet privacy and security rule compliance requirements Healthcare organizations should regularly test systems to ensure continued compliance 4 34

Steps Towards HIPAA Compliance Step 5: Conduct Annual Risk Assessment Healthcare organizations need to conduct periodic risk assessments to evaluate the current state of operations with regard to both the privacy and security role Healthcare organizations do not have to engage an outside party to conduct a risk assessment; however, organizations are responsible for HIPAA compliance An entity should evaluate internal knowledge with regard to HIPAA compliance to determine if the risk assessment can be completed internally The annual risk assessment will provide an organization with specific areas of improvement to meet and or maintain 5 HIPAA compliance 35

Steps Towards HIPAA Compliance Step 6: Update Systems and Mitigate Risk Update Systems Whether through changes in legislation, administrative rules, system changes, or operational changes, healthcare organizations need to evaluate and update systems as necessary to maintain HIPAA compliance Mitigate Risk The annual risk assessment will provide specific areas of risk that organization must resolve System updates and risk mitigation will require constant attention and cannot be done solely on an annual basis 6 36

Conclusions Following HIPAA is not an option and all organizations that handle PHI must ensure compliance Not knowing the HIPAA requirements is not an excuse for not following 37

QUESTIONS Overview Definitions / Regulations Cost Reports Opportunities 38

Thank you 1685 Congress St. Suite 202 Portland, Maine 04102 (207) 221-8250 JPantenburg@stroudwater.com www.stroudwater.com 39

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback