HIPAA & Privacy Compliance Update

Similar documents
Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

Agenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

HIPAA and HIPAA Compliance with PHI/PII in Research

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

HIPAA-HITECH: Privacy & Security Updates for 2015

Putting It All Together:

HIPAA For Assisted Living WALA iii

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

HIPAA Compliance Officer Training By HITECH Compliance Associates. Building a Culture of Compliance

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

3/24/2014. Agenda & Objectives. HIPAA Security Rule. Compliance Institute. Background and Regulatory Overlay. OCR Statistics/

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Security and Privacy Breach Notification

HIPAA/HITECH Act Update HCCA South Central Regional Annual Conference December 2, Looking Back at 2011

The ABCs of HIPAA Security

HIPAA Federal Security Rule H I P A A

HIPAA Security and Privacy Policies & Procedures

DON T GET STUNG BY A BREACH! WHAT'S NEW IN HIPAA PRIVACY AND SECURITY

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

David C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017

HIPAA FOR BROKERS. revised 10/17

HIPAA Privacy, Security Lessons from 2016 and What's Next in 2017

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE

NOTICE OF PRIVACY PRACTICES

Boerner Consulting, LLC Reinhart Boerner Van Deuren s.c.

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

Federal Breach Notification Decision Tree and Tools

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

HIPAA Privacy and Security Training Program

The Relationship Between HIPAA Compliance and Business Associates

HIPAA Cloud Computing Guidance

Electronic Communication of Personal Health Information

CYBERSECURITY. Recent OCR Actions & Cyber Awareness Newsletters. Claire C. Rosston

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

Hospital Council of Western Pennsylvania. June 21, 2012

HIPAA/HITECH Privacy & Security Checklist Assessment HIPAA PRIVACY RULE

The HIPAA Omnibus Rule

HIPAA 101: What All Doctors NEED To Know

Cyber Security Issues

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

HIPAA. Developed by The University of Texas at Dallas Callier Center for Communication Disorders

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

HIPAA Audit Don t just bet the odds Good luck is a residue of preparation. Jack Youngblood

HIPAA Tips and Advice for Your. Medical Practice

What s New with HIPAA? Policy and Enforcement Update

HIPAA ( ) HIPAA 2017 Compliancy Group, LLC

HIPAA Privacy, Security and Breach Notification 2017

Healthcare Privacy and Security:

University of Wisconsin-Madison Policy and Procedure

EXHIBIT A. - HIPAA Security Assessment Template -

Compliance & HIPAA Annual Education

Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Pilot Audits


Data Backup and Contingency Planning Procedure

HIPAA Omnibus Notice of Privacy Practices

Audits Accounting of disclosures

HIPAA Privacy, Security and Breach Notification

HIPAA AND SECURITY. For Healthcare Organizations

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

Patient Right Access to PHI Understanding Recent OCR Guidance. Sondra Hornsey, CHC, CHPC HIPAA Privacy Officer, Washington University March 31, 2016

Texting and ing Patients, Providers and Others: HIPAA, CMS, and Suggestions

HIPAA Security Manual

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

A HIPAA Compliance and Enforcement Update from the HHS Office for Civil Rights Session #24, 10:00 a.m. 11:00 a.m. March 6, 2018 Roger Severino, MSPP,

Abbie Miller, MCS-P. Ongoing Internal Auditing. Documentation Reviews 5/16/2015.

Patient Access & Charging for Medical Records. General Right to Access. Requests for Access. Charging for Copies

8 COMMON HIPAA COMPLIANCE ERRORS TO AVOID

HIPAA and Research Contracts JILL RAINES, ASSISTANT GENERAL COUNSEL AND UNIVERSITY PRIVACY OFFICIAL

Getting OCR Audit-Ready in 7 Steps:

Breach Notification Remember State Law

Into the Breach: Breach Notification Requirements in the Wake of the HIPAA Omnibus Rule

HIPAA UPDATE. Michael L. Brody, DPM

Policy. Policy Information. Purpose. Scope. Background

Data Compromise Notice Procedure Summary and Guide

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

HIPAA Comes of Age: 21 Years of Privacy and Security

LifeWays Operating Procedures

Sample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited.

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer

Cyber Attacks and Data Breaches: A Legal and Business Survival Guide

HIPAA & IT THE HIPAA SECURITY RULE AND THE ROLE OF THE IT PROFESSIONAL DOES YOUR IT PROVIDER UNDERSTAND THEIR ROLE AND ARE THEY COMPLIANT?

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Information Governance, the Next Evolution of Privacy and Security

HIPAA Faux Pas. Lauren Gluck Physician s Computer Company User s Conference 2016

Incident Response: Are You Ready?

(c) Apgar & Associates, LLC

University Policies and Procedures ELECTRONIC MAIL POLICY

NMHC HIPAA Security Training Version

ENCRYPTION: ADDRESSABLE OR A DE FACTO REQUIREMENT?

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Privacy Rule.

HIPAA Compliance Checklist

WASHINGTON UNIVERSITY HIPAA Privacy Policy # 7. Appropriate Methods of Communicating Protected Health Information

Introduction CHAPTER 1

Transcription:

HIPAA & Privacy Compliance Update Vermont Medical Society FREE Wednesday Webinar Series March 15, 2017 Anne Cramer and Shireen Hart Primmer Piper Eggleston & Cramer PC acramer@primmer.com shart@primmer.com (802) 864-0880

Agenda HIPAA and Vermont privacy law: Critical concepts/key compliance steps Emerging HIPAA compliance challenges HIPAA audit program Recent enforcement actions Q and A 2

Federal Law = HIPAA HIPAA privacy and security rules. Provide a floor for protecting the privacy of identifiable health information. Do not preempt state laws which are more protective of privacy or provide greater patient rights to access information. 3

Vermont s Privacy Laws Patient Privilege, 12 V.S.A. 1612: greater protection than the HIPAA privacy rules, allowing disclosure only with patient consent or as required by law. Vermont Health Care Privacy Law, 18 V.S.A. 1881: allows disclosures permitted by HIPAA. Vermont Bill of Rights for hospital and nursing home patients, 18 V.S.A. 1852 and 33 V.S.A. 7301. Vermont Mental Health Disclosure, 18 V.S.A. 7103 4

Vermont s Privacy Laws (cont.) State law is a hodge podge. Recommendation: Have patients execute a general consent authorizing the provider to disclose PHI for treatment, payment, healthcare operations and coordination of care purposes. This consent should be retained in the patient s medical record. 5

Protection of Health Information Categories: 1. State law: no clear definitions 2. HIPAA: a. Protected Health Information (PHI) b. Designated record set c. De-identified health information d. Limited data sets 3. 42 CFR Part 2: Any information identifying treated individual or services provided at federal program for substance abuse treatment 6

Protected Health Information (PHI) Individually identifiable health information -- written, oral or ephi Created or received by Covered Entity (CE) Relates to past, present, future physical or mental health or condition, or to provision of health care or payment for health care Excludes education records (FERPA) and employment related records 7

Designated Record Set Group of medical records and billing records maintained by CE or used by CE to make decisions about individuals Significance? Patient access rights Quality review, payer requests, records in litigation Distinguish business records, medical equipment printouts, scheduling information 8

De-Identified Health Information Removal of list of identifiers required (names, geographic locators, age, dates, SSN, contact information, medical record and identifying numbers, image, biometrics). If de-identified fully, not protected and can be shared. Distinguish redacted records (name removal): still subject to HIPAA. If Limited Data Set (certain identifiers removed) can be shared for research, public health or health care operations under Data Use Agreement. 9

Who Must Comply with HIPAA Privacy and Security Rules? Covered Entities (CEs): Health care providers Health plans Health care clearing houses Business Associates: Independent contractor who Performs function or activity for CE involving PHI Must be under a Business Associate Agreement ( BAA ) Business Associates of Business Associates 10

Use and Disclosure of PHI A CE may use and disclose PHI for treatment, payment and health care operations (TPO) without patient authorization Distinguish: Consent needed under state law Part 2 consent if federal substance abuse treatment program 11

HIPAA Key Concept: Minimum Necessary Minimum Necessary Standard limits uses, disclosures and requests for PHI to minimum necessary amount of PHI needed to carry out purpose of use or disclosure AND to limit disclosure to individuals with need to know Does not apply for treatment purposes or as directed by patient authorization 12

Compliance Responsibilities for CEs Provide patients Notice of Privacy Practices (NPP) Adopt clear compliance policies and procedures Workforce training (no less than annually) Security measures and Security Rule Compliance Risk assessments (and implement response) Report breaches 13

What is a Breach? Unpermitted acquisition, access or disclosure of UNENCRYPTED PHI which compromises security or privacy of PHI Presumed, unless actual risk analysis pursuant to rule shows low probability of compromise 14

Breach Reporting Notify individual within 60 days. Notify HHS and media if over 500 people affected. Annual notice or log to HHS of breaches. If personal financial information (SSNs or financial accounts), notice to Vermont Attorney General in 14 days and individual within 45 days. 9 V.S.A. 2435. 15

Patient Rights Under HIPAA Access/copies in 30 days Copies for reasonable, cost-based fee (labor, supplies, postage)* Request to amend or state disagreement Request accounting of access Request restriction (if self-pay, may prohibit insurer s access) Communication choice *will preempt Vermont Law, 18 V.S.A. 9419, in part, except free copy for SS Act claims 16

Emerging HIPAA compliance challenges Ransomware Texting patients Emailing patients 17

Ransomware Type of malware (malicious software). Attempts to deny access to a user s data by encrypting it. Directs the user to pay ransom to the hacker in return for a decryption key, May also destroy or exfiltrate data. 18

Ransomware = HIPAA breach? Whether ransomware is a breach under the HIPAA Rules is a fact-specific determination. When ephi is encrypted by a ransomware attack, a breach has occurred. Unless the covered entity or business associate can demonstrate a low probability that the PHI has been compromised, based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred. 19

Ransomware what should you do? Implement: A security management process, including: conducting a risk analysis to identify threats and vulnerabilities to ephi, and security measures to mitigate or remedy those identified risks; Procedures to guard against and detect malicious software; Training for users on malicious software protection, so they can assist in detecting malicious software and know how to report such detections; and Access controls to limit access to ephi to only those persons or software programs requiring access. FACT SHEET: Ransomware and HIPAA https://www.hhs.gov/sites/default/files/ransomwarefactsheet.pdf 20

Text Messaging Generally not secure because: messages lack encryption; sender does not know with certainty the message is received by the intended recipient; and telecommunication vendor/wireless carrier may store the text messages. 21

Texting Recommendation Before texting, we recommend: perform a risk analysis, or use a third-party messaging solution that establishes a secure communication platform. 22

Texting: Written Agreement Get a signed agreement from the patient. Patient agrees to accept communication by text; The types of information texts may contain; Password and encryption standards for the devices that are used; Addition of texts to medical record; How and when texts are deleted; What type of information patient agrees to transmit or receive by text; and Must notify practice if phone number changes or phone is lost, etc. 23

Email Best Practices If a patient emails you, you may assume that email is an acceptable form of communication for the patient. BUT, if patient may be unaware of risks of using email, alert them to risks and let them decide whether to continue (risks: work email - who can access it?, email could become part of medical record, never use email in emergencies, etc.). 24

Email Best Practices (cont.) For the first communication, double-check the email address. Send an email alert first, so patient can confirm correct address. Limit amount/type of medical information being disclosed. If patient copies a third person on email, only reply to the patient. 25

HIPAA Audit Program HITECH requires the US government (Health and Human Services - HHS) to perform periodic audits of covered entities and business associates. HHS Office for Civil Rights (OCR) enforces HIPAA and HITECH Rules. For audit information, see: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html 26

Audit Program Objectives OCR uses audits to identify best practices and discover risks and vulnerabilities undetected through OCR s ongoing complaint investigations and compliance reviews, and enable OCR to get out in front of problems before they result in breaches. OCR will identify best practices gleaned through the audit process and provide guidance targeted to identified compliance challenges. 27

HIPAA Audit Program Phase I 2011-2012 Audited controls and processes of 115 Covered Entities to comply with Privacy, Security and Breach Notification Rules. 28

HIPAA Audit Program Phase 2 Launched in 2016. Reviews Covered Entities /Business Associates policies and procedures. Desk audit: very little on-site. Started with an email asking to verify email address and contact information. Followed by pre-audit questionnaire. osocraudit@hhs.gov If you did not get an email, check junk and spam folders for OCR emails. 29

Alert: Phishing Email Disguised as Official OCR Audit Communication - November 28, 2016 Phishing email originated from OSOCRAudit@hhs-gov.us and directed individuals to a URL at http://www.hhsgov.us. Subtle difference from the official email address for HIPAA audit program, OSOCRAudit@hhs.gov and the website, http://www.hhs.gov, typical in phishing scams. 30

Most Investigated HIPAA Compliance Issues for Private Practices Impermissible uses and disclosures of PHI. Lack of safeguards of PHI. Lack of patient access to their PHI. Use or disclosure of more than the minimum necessary PHI. Lack of administrative safeguards ephi. 31

Case Examples of Enforcement Actions Against Private Practices Improper charges for medical records. Providing summary record instead of full record set without consent. Refused access to medical exam records when paid for by third party. Denial of portion of record created by different provider. Denial of records to patient with balance due. 32

Other Examples of Common HIPAA Enforcement Actions Stolen laptop, flash drive, phone... Failure to enter into business associate agreements. Failure to disclose minimum necessary for all but treatment purposes. Waiting rooms computer monitors, sign-ins, privacy protections, etc. Proof that Risk Analysis has been performed. Timely breach notifications (60 days) 33

HIPAA Enforcement Best Practices Conduct annual security risk analysis and respond to results. Investigate, provide notice of, and report breaches. Update and maintain BAA checklist. If ever contacted by OCR, OSOCRAudit@hhs.gov, immediately review and revise policies and procedures if need be. Post-incident amendments and revisions to policies must be accurately dated. 34

Questions? Vermont Medical Society FREE Wednesday Webinar Series March 15, 2017 Anne Cramer and Shireen Hart Primmer Piper Eggleston & Cramer PC acramer@primmer.com shart@primmer.com (802) 864-0880

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback