HIPAA Workshop Ensuring PHI: Creating a Comprehensive Office Policy

HIPAA Workshop

Ensuring PHI: Creating a Comprehensive

Office Policy

2014 OP User Conference

Presented by:

Sue Kressly, MD, FAAP and Leann DiDomenico, MBA

Goal: Develop your Strategy to Ensure

the Safety of PHI!

Objectives:

■ Understand the difference between HIPAA Privacy

and HIPAA Security

■ Define the 3 categories of HIPAA safeguards

■ Outline steps required to perform a risk analysis

■ Learn to identify and rank current risks in your

practice

■ Learn what constitutes a breach and how to report

■ Identify available resources to assist your practice

Agenda: HIPAA Workshop 3:20-4:40

■ Introduction/Overview (10 minutes)

■ Small Workgroups (15 minutes)

■ Small Groups Each Report 5 minutes (20 minutes)

■ Brief Overview of Safeguard Examples on ONC

Security Risk Assessment Tool (5 minutes)

■ Performance Pediatrics Case Study (10 minutes)

■ Questions

■ Quick Look at Security Risk Assessment Tool (time

permitting)

What is HIPAA?

■ Health Insurance Portability and Accountability

Act 1996

■ National standards for the

use and disclosure

of

individually identifiable health information

■ Two Rules:

■ HIPAA Privacy Rule: protects individual’s

health information across all mediums:

electronic, paper and oral

■ HIPAA Security Rule: protect individuals’

e-PHI that is created, received, used, or

Why does it matter?

■ Required by Law

■ Required to meet Meaningful Use

■ It’s good business practice

■ HIPAA Audit Program is part of

the HITECH Act

Getting Started Phase 1:

■ Preparation

■

Confirm you are a covered entity

■

Provide Leadership

■

Define Security Team

■

Hire? Use Outside Resources?

■

Document



Findings



Processes

Phase 2:

■ Inventory Assets (all devices with ePHI)

■ Identify Business Associates

■ Conduct Risk Analysis

■ Develop Action Plan for Identified

■ Threats

Phase 3:

■ Risk Management

■ Manage and Mitigate Risks

■ Prevent with Education and Training

■ Communicate with Patients

Phase 4:

■ MU Attestation?

■ Perform Security Risk at least 90 days

prior to Reporting Period

■ Other Outside Entity Reporting?

■ NCQA: PCMH

Assessing Risk Level of Threats and

Vulnerabilities:

What Safeguards need to be in place?

3 Categories:

■ Administrative

■ Standards/Specifications for PHI Security

Program

■ Physical

■ Access to Office and Computer Systems

■ Technical

Let’s See

how we

What Safeguards Need to Be in Place?

■ Administrative

Examples

■ Physical Examples

■ Technical Examples

Administrative Safeguards

■ Security management processes to identify and

analyze risks to ePHI

■ Implementing security measures to reduce risks

■ Staff training to ensure knowledge of and

compliance with your policies and procedures

■ Information access management to limit access to

protect health information

■ Contingency plan to respond to emergencies or

restore lost data

Physical Safeguards

■ Secure access to the office such as locks and

alarms, to ensure only authorized peronnel have

access to facilities that house systems and data

■ Workstation security measures, such as cable locks

and computer monitor privacy filters, to guard

against theft and restrict access

■ Workstation use policies to ensure proper access

and use

Technical Safeguards

■ Access controls to restrict access to ePHI to only

authorized personnel

■ Audit controls to monitor activity on systems

containing ePHI

■ Integrity controls to prevent improper ePHI

alteration or destruction

■ Transmission security measures to protect ePHI

when transmitted over an electronic network

HIPAA/OP Case Study: Performance Pediatrics

● In 2006 purchased HIPAA product

○ McDermott, Will & Emery (http://www.mwe.com/) ○ $375 + calls to our lawyer

○ Policy and Forms ○ No training

○ No updates

● In 2010 switched/added online solution

○ Based on MGMA recommendation, chose Healthcare Compliance Solutions (http://hcsiinc.com/)

○ $325/year for 5 employees

○ Feel confident in their policy, forms, training and newsletter

HIPAA/OP Case Study: Performance Pediatrics

○ Colleague experience with grandparents ■ HIPAA complaint filed

■ MedSafe handled the whole thing ○ Our experience with CVS

■ CVS faxing to wrong number ■ Sent two certified letters

○ Online, yet local

○ Able to conduct MU risk assessment ○ Higher cost

● Find your partner

○ Talk to colleagues/OP-manager user group

○ Check with local AAP chapter and medical society ○ MGMA

How OP Helps Us with HIPAA Compliance

○ Utilize an OP Order Worksheet for standard tasks ■ Parent signs NPP

■ Front desk marks as complete ○ Scan NPP in chart

● OP pop-up windows

○ Whenever HIPAA requires that we record what we printed ○ OP system eases the burden

■ Drop downs ■ Open text fields

How OP Helps Us with HIPAA Compliance

● Audit employees

○ Performance reviews every 3 months

○ Random audit of the employee

■ To ensure that printed records are being properly documented

■ How to:

● Records

● Audit Log

● Set the Date Range

● Disclosure Tracking

● Isolate to one staff name

● Cross reference this with the Event Chronology to ensure there is detailed documentation

How OP Helps Us with HIPAA Compliance

○ Useful for patients with unusual situations ■ Biological parent with a restraining order ■ Foster children

○ Give employees pause

■ Use @@ pop ups in the notes ■ Watch for bright red color

● PHI is being picked up

○ Parent calls to request a Rx refill

■ Provider records details in a message; sets task

■ At pick up, the receptionist verifies the identity of the parent and marks the task as complete

How OP Helps Us with HIPAA Compliance

■ In the notes, providers mark items “clinical staff only” or “exempt from reporting”

■ Ensures mental and reproductive health documentation for adolescents is properly protected

BREACH:

An impermissible use or disclosure under the

Privacy Rule that compromises the security or

privacy of protected health information

■ The covered entity or BA demonstrates there is a low

probability that PHI has been compromised based on:

■ The nature/extent of the PHI, including the types of identifiers and likelihood of re-identification

■ The unauthorized person who used the PHI or to whom the disclosure was made

■ Whether the PHI was actually acquired or viewed; and ■ The extent to which the risk to the PHI has been mitigated

Impermissible use or disclosure of PHI is assumed

to be a breach unless...

■ Following a breach of unsecured PHI, covered entities must provide notification of the breach to

■ affected individuals

■ the HHS Secretary of Breaches

■ in certain circumstances to the media

■ Business associates must notify covered entities if a breach occurs at or by the business associate

■ More information is available at the HHS website on breach notification

Action Items

■ Identify your security team including leadership ■ Document your findings, processes and actions ■ Inventory your assets

■ Identify your Business Associates ■ Conduct your risk analysis

Resources

●

● Security Risk Assessment Tool ● HealthIT.gov: Privacy and Security ● HIPAA Summary

● Remote User's Guide

● Cybersecurity: 10 Best Practices For The Small Healthcare Environment

● Tip Sheet for Using Mobile Devices

● Model Privacy Notices form ONC and OCR ● HIPAA Security Games