• No results found

HIPAA Workshop Ensuring PHI: Creating a Comprehensive Office Policy

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "HIPAA Workshop Ensuring PHI: Creating a Comprehensive Office Policy"

Copied!
31
0
0

Loading.... (view fulltext now)

Download now ( 31 Page )

Full text

(1)

HIPAA Workshop

Ensuring PHI: Creating a Comprehensive

Office Policy

2014 OP User Conference

Presented by:

Sue Kressly, MD, FAAP and Leann DiDomenico, MBA

(2)

Goal: Develop your Strategy to Ensure

the Safety of PHI!

Objectives:

■ Understand the difference between HIPAA Privacy

and HIPAA Security

■ Define the 3 categories of HIPAA safeguards

■ Outline steps required to perform a risk analysis

■ Learn to identify and rank current risks in your

practice

■ Learn what constitutes a breach and how to report

■ Identify available resources to assist your practice

(3)

Agenda: HIPAA Workshop 3:20-4:40

■ Introduction/Overview (10 minutes)

■ Small Workgroups (15 minutes)

■ Small Groups Each Report 5 minutes (20 minutes)

■ Brief Overview of Safeguard Examples on ONC

Security Risk Assessment Tool (5 minutes)

■ Performance Pediatrics Case Study (10 minutes)

■ Questions

■ Quick Look at Security Risk Assessment Tool (time

permitting)

(4)

What is HIPAA?

■ Health Insurance Portability and Accountability

Act 1996

■ National standards for the

use and disclosure

of

individually identifiable health information

■ Two Rules:

■ HIPAA Privacy Rule: protects individual’s

health information across all mediums:

electronic, paper and oral

■ HIPAA Security Rule: protect individuals’

e-PHI that is created, received, used, or

(5)

Why does it matter?

■ Required by Law

■ Required to meet Meaningful Use

■ It’s good business practice

■ HIPAA Audit Program is part of

the HITECH Act

(6)

Getting Started Phase 1:

■ Preparation

Confirm you are a covered entity

Provide Leadership

Define Security Team

Hire? Use Outside Resources?

Document

Findings

Processes

(7)

Phase 2:

■ Inventory Assets (all devices with ePHI)

■ Identify Business Associates

■ Conduct Risk Analysis

■ Develop Action Plan for Identified

■ Threats

(8)

Phase 3:

■ Risk Management

■ Manage and Mitigate Risks

■ Prevent with Education and Training

■ Communicate with Patients

(9)

Phase 4:

■ MU Attestation?

■ Perform Security Risk at least 90 days

prior to Reporting Period

■ Other Outside Entity Reporting?

■ NCQA: PCMH

(10)
(11)

Assessing Risk Level of Threats and

Vulnerabilities:

(12)

What Safeguards need to be in place?

3 Categories:

■ Administrative

■ Standards/Specifications for PHI Security

Program

■ Physical

■ Access to Office and Computer Systems

■ Technical

(13)

Let’s See

how we

(14)

What Safeguards Need to Be in Place?

■ Administrative

Examples

■ Physical Examples

■ Technical Examples

Examples to follow taken directly from the

(15)

Administrative Safeguards

■ Security management processes to identify and

analyze risks to ePHI

■ Implementing security measures to reduce risks

■ Staff training to ensure knowledge of and

compliance with your policies and procedures

■ Information access management to limit access to

protect health information

■ Contingency plan to respond to emergencies or

restore lost data

(16)

Physical Safeguards

■ Secure access to the office such as locks and

alarms, to ensure only authorized peronnel have

access to facilities that house systems and data

■ Workstation security measures, such as cable locks

and computer monitor privacy filters, to guard

against theft and restrict access

■ Workstation use policies to ensure proper access

and use

(17)

Technical Safeguards

■ Access controls to restrict access to ePHI to only

authorized personnel

■ Audit controls to monitor activity on systems

containing ePHI

■ Integrity controls to prevent improper ePHI

alteration or destruction

■ Transmission security measures to protect ePHI

when transmitted over an electronic network

(18)
(19)

HIPAA/OP Case Study: Performance Pediatrics

● Micro-practice in Plymouth, Massachusetts

● In 2006 purchased HIPAA product

○ McDermott, Will & Emery (http://www.mwe.com/) ○ $375 + calls to our lawyer

○ Policy and Forms ○ No training

○ No updates

● In 2010 switched/added online solution

○ Based on MGMA recommendation, chose Healthcare Compliance Solutions (http://hcsiinc.com/)

○ $325/year for 5 employees

○ Feel confident in their policy, forms, training and newsletter

(20)

HIPAA/OP Case Study: Performance Pediatrics

● MedSafe (http://medsafe.com/)

○ Colleague experience with grandparents ■ HIPAA complaint filed

■ MedSafe handled the whole thing ○ Our experience with CVS

■ CVS faxing to wrong number ■ Sent two certified letters

○ Online, yet local

○ Able to conduct MU risk assessment ○ Higher cost

● Find your partner

○ Talk to colleagues/OP-manager user group

○ Check with local AAP chapter and medical society ○ MGMA

(21)

How OP Helps Us with HIPAA Compliance

● New patients

○ Utilize an OP Order Worksheet for standard tasks ■ Parent signs NPP

■ Front desk marks as complete ○ Scan NPP in chart

● OP pop-up windows

○ Whenever HIPAA requires that we record what we printed ○ OP system eases the burden

■ Drop downs ■ Open text fields

(22)

How OP Helps Us with HIPAA Compliance

● Audit employees

○ Performance reviews every 3 months

○ Random audit of the employee

■ To ensure that printed records are being properly documented

■ How to:

● Records

● Audit Log

● Set the Date Range

● Disclosure Tracking

● Isolate to one staff name

● Cross reference this with the Event Chronology to ensure there is detailed documentation

(23)

How OP Helps Us with HIPAA Compliance

● Privacy Tab on the OP Patient Register

○ Useful for patients with unusual situations ■ Biological parent with a restraining order ■ Foster children

○ Give employees pause

■ Use @@ pop ups in the notes ■ Watch for bright red color

● PHI is being picked up

○ Parent calls to request a Rx refill

■ Provider records details in a message; sets task

■ At pick up, the receptionist verifies the identity of the parent and marks the task as complete

(24)

How OP Helps Us with HIPAA Compliance

■ Adolescent concerns

■ In the notes, providers mark items “clinical staff only” or “exempt from reporting”

■ Ensures mental and reproductive health documentation for adolescents is properly protected

(25)

BREACH:

An impermissible use or disclosure under the

Privacy Rule that compromises the security or

privacy of protected health information

(26)

■ The covered entity or BA demonstrates there is a low

probability that PHI has been compromised based on:

■ The nature/extent of the PHI, including the types of identifiers and likelihood of re-identification

■ The unauthorized person who used the PHI or to whom the disclosure was made

■ Whether the PHI was actually acquired or viewed; and ■ The extent to which the risk to the PHI has been mitigated

Impermissible use or disclosure of PHI is assumed

to be a breach unless...

(27)

■ Following a breach of unsecured PHI, covered entities must provide notification of the breach to

■ affected individuals

■ the HHS Secretary of Breaches

■ in certain circumstances to the media

■ Business associates must notify covered entities if a breach occurs at or by the business associate

■ More information is available at the HHS website on breach notification

(28)
(29)

Action Items

■ Identify your security team including leadership ■ Document your findings, processes and actions ■ Inventory your assets

■ Identify your Business Associates ■ Conduct your risk analysis

(30)

Resources

● Security Risk Assessment Tool ● HealthIT.gov: Privacy and Security ● HIPAA Summary

● Remote User's Guide

● Cybersecurity: 10 Best Practices For The Small Healthcare Environment

● Tip Sheet for Using Mobile Devices

● Model Privacy Notices form ONC and OCR ● HIPAA Security Games

(31)

References

Download now ( PDF - 31 Page - 530.49 KB )

Related documents