HIPAA Workshop
Ensuring PHI: Creating a Comprehensive
Office Policy
2014 OP User Conference
Presented by:
Sue Kressly, MD, FAAP and Leann DiDomenico, MBA
Goal: Develop your Strategy to Ensure
the Safety of PHI!
Objectives:
■ Understand the difference between HIPAA Privacy
and HIPAA Security
■ Define the 3 categories of HIPAA safeguards
■ Outline steps required to perform a risk analysis
■ Learn to identify and rank current risks in your
practice
■ Learn what constitutes a breach and how to report
■ Identify available resources to assist your practice
Agenda: HIPAA Workshop 3:20-4:40
■ Introduction/Overview (10 minutes)
■ Small Workgroups (15 minutes)
■ Small Groups Each Report 5 minutes (20 minutes)
■ Brief Overview of Safeguard Examples on ONC
Security Risk Assessment Tool (5 minutes)
■ Performance Pediatrics Case Study (10 minutes)
■ Questions
■ Quick Look at Security Risk Assessment Tool (time
permitting)
What is HIPAA?
■ Health Insurance Portability and Accountability
Act 1996
■ National standards for the
use and disclosure
of
individually identifiable health information
■ Two Rules:
■ HIPAA Privacy Rule: protects individual’s
health information across all mediums:
electronic, paper and oral
■ HIPAA Security Rule: protect individuals’
e-PHI that is created, received, used, or
Why does it matter?
■ Required by Law
■ Required to meet Meaningful Use
■ It’s good business practice
■ HIPAA Audit Program is part of
the HITECH Act
Getting Started Phase 1:
■ Preparation
■
Confirm you are a covered entity
■
Provide Leadership
■
Define Security Team
■
Hire? Use Outside Resources?
■
Document
Findings
Processes
Phase 2:
■ Inventory Assets (all devices with ePHI)
■ Identify Business Associates
■ Conduct Risk Analysis
■ Develop Action Plan for Identified
■ Threats
Phase 3:
■ Risk Management
■ Manage and Mitigate Risks
■ Prevent with Education and Training
■ Communicate with Patients
Phase 4:
■ MU Attestation?
■ Perform Security Risk at least 90 days
prior to Reporting Period
■ Other Outside Entity Reporting?
■ NCQA: PCMH
Assessing Risk Level of Threats and
Vulnerabilities:
What Safeguards need to be in place?
3 Categories:
■ Administrative
■ Standards/Specifications for PHI Security
Program
■ Physical
■ Access to Office and Computer Systems
■ Technical
Let’s See
how we
What Safeguards Need to Be in Place?
■ Administrative
Examples
■ Physical Examples
■ Technical Examples
Examples to follow taken directly from theAdministrative Safeguards
■ Security management processes to identify and
analyze risks to ePHI
■ Implementing security measures to reduce risks
■ Staff training to ensure knowledge of and
compliance with your policies and procedures
■ Information access management to limit access to
protect health information
■ Contingency plan to respond to emergencies or
restore lost data
Physical Safeguards
■ Secure access to the office such as locks and
alarms, to ensure only authorized peronnel have
access to facilities that house systems and data
■ Workstation security measures, such as cable locks
and computer monitor privacy filters, to guard
against theft and restrict access
■ Workstation use policies to ensure proper access
and use
Technical Safeguards
■ Access controls to restrict access to ePHI to only
authorized personnel
■ Audit controls to monitor activity on systems
containing ePHI
■ Integrity controls to prevent improper ePHI
alteration or destruction
■ Transmission security measures to protect ePHI
when transmitted over an electronic network
HIPAA/OP Case Study: Performance Pediatrics
● Micro-practice in Plymouth, Massachusetts● In 2006 purchased HIPAA product
○ McDermott, Will & Emery (http://www.mwe.com/) ○ $375 + calls to our lawyer
○ Policy and Forms ○ No training
○ No updates
● In 2010 switched/added online solution
○ Based on MGMA recommendation, chose Healthcare Compliance Solutions (http://hcsiinc.com/)
○ $325/year for 5 employees
○ Feel confident in their policy, forms, training and newsletter
HIPAA/OP Case Study: Performance Pediatrics
● MedSafe (http://medsafe.com/)○ Colleague experience with grandparents ■ HIPAA complaint filed
■ MedSafe handled the whole thing ○ Our experience with CVS
■ CVS faxing to wrong number ■ Sent two certified letters
○ Online, yet local
○ Able to conduct MU risk assessment ○ Higher cost
● Find your partner
○ Talk to colleagues/OP-manager user group
○ Check with local AAP chapter and medical society ○ MGMA
How OP Helps Us with HIPAA Compliance
● New patients○ Utilize an OP Order Worksheet for standard tasks ■ Parent signs NPP
■ Front desk marks as complete ○ Scan NPP in chart
● OP pop-up windows
○ Whenever HIPAA requires that we record what we printed ○ OP system eases the burden
■ Drop downs ■ Open text fields
How OP Helps Us with HIPAA Compliance
● Audit employees
○ Performance reviews every 3 months
○ Random audit of the employee
■ To ensure that printed records are being properly documented
■ How to:
● Records
● Audit Log
● Set the Date Range
● Disclosure Tracking
● Isolate to one staff name
● Cross reference this with the Event Chronology to ensure there is detailed documentation
How OP Helps Us with HIPAA Compliance
● Privacy Tab on the OP Patient Register○ Useful for patients with unusual situations ■ Biological parent with a restraining order ■ Foster children
○ Give employees pause
■ Use @@ pop ups in the notes ■ Watch for bright red color
● PHI is being picked up
○ Parent calls to request a Rx refill
■ Provider records details in a message; sets task
■ At pick up, the receptionist verifies the identity of the parent and marks the task as complete
How OP Helps Us with HIPAA Compliance
■ Adolescent concerns■ In the notes, providers mark items “clinical staff only” or “exempt from reporting”
■ Ensures mental and reproductive health documentation for adolescents is properly protected
BREACH:
An impermissible use or disclosure under the
Privacy Rule that compromises the security or
privacy of protected health information
■ The covered entity or BA demonstrates there is a low
probability that PHI has been compromised based on:
■ The nature/extent of the PHI, including the types of identifiers and likelihood of re-identification
■ The unauthorized person who used the PHI or to whom the disclosure was made
■ Whether the PHI was actually acquired or viewed; and ■ The extent to which the risk to the PHI has been mitigated
Impermissible use or disclosure of PHI is assumed
to be a breach unless...
■ Following a breach of unsecured PHI, covered entities must provide notification of the breach to
■ affected individuals
■ the HHS Secretary of Breaches
■ in certain circumstances to the media
■ Business associates must notify covered entities if a breach occurs at or by the business associate
■ More information is available at the HHS website on breach notification
Action Items
■ Identify your security team including leadership ■ Document your findings, processes and actions ■ Inventory your assets
■ Identify your Business Associates ■ Conduct your risk analysis
Resources
●
● Security Risk Assessment Tool ● HealthIT.gov: Privacy and Security ● HIPAA Summary
● Remote User's Guide
● Cybersecurity: 10 Best Practices For The Small Healthcare Environment
● Tip Sheet for Using Mobile Devices
● Model Privacy Notices form ONC and OCR ● HIPAA Security Games