What do you need to know?

17  Download (0)

Full text

(1)

What  do  you  need  to  know?  

(2)

DISCLAIMER    

Please  note  that  the  information  provided  is  to  inform  

our  clients  and  friends  of  recent  HIPAA  and  HITECH  

act  developments.  It  is  not  intended,  nor  should  it  be  

used,  as  a  substitute  for  specific  legal  advice  

(3)

HIPAA  Regula,ons  

What  do  you  need  to  know?  

Rate  your  practice’s  current  compliance.  

 

—  Are  you  HIPAA  Compliant  right  now?  

—  Privacy  Rule  compliance  requirements  

—  Security  Rule  compliance  requirements  

—  Breach  notifications  requirements  

—  Documentation    

—  Audits  

(4)

Recent  Breaches  in  the  News  

— 

Recent  Breaches  and  their  Costs!  

—  Experts:  Lack  of  HIPAA  basics  cost  BCBST  $18.5  million  

—  Basic  compliance  101—policies,  training,  monitoring,  and  risk  

assessments—may  have  saved  Blue  Cross  Blue  Shield  of  Tennessee   (BCBST)  millions,  experts  say.  

—  Instead,  the  health  insurer  agreed  to  a  $1.5  million  settlement  with   the  Office  for  Civil  Rights  (OCR)  over  potential  HIPAA  security   violations  and  spent  another  $17  million  in  breach  response  costs.  

—  In  the  fall  of  2009,  BCBST  reported  to  OCR  that  57  unencrypted   computer  hard  drives  were  stolen  from  a  leased  facility  in  

Tennessee.  The  hard  drives  contained  protected  health  

information  (PHI)  for  more  than  one  million  individuals,  including   member  names,  Social  Security  numbers,  diagnosis  codes,  

birthdates,  and  health  plan  identification  numbers.  

(5)

WHY  SHOULD  I  CARE?  

OCR's  investigation  of  Phoenix  Cardiac  Surgery  PC    (2  physician  practice)  

http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/

pcsurgery_agreement.pdf    

—  failed  to  implement  adequate  policies  and  procedures  to  appropriately   safeguard  patient  information;  

—  failed  to  document  that  it  trained  any  employees  on  its  policies  and   procedures  on  the  Privacy  and  Security  Rules;  

—  failed  to  identify  a  security  official  and  conduct  a  risk  analysis  

—  failed  to  obtain  business  associate  agreements  with  Internet-­‐based   email  and  calendar  services  where  the  provision  of  the  service  

included  storage  of  and  access  to  its  ePHI.  

—  Corrective  Action  Plan  required  

—  Penalty  -­‐  $100,000  

—  Reputation  Impact?  

(6)
(7)

OCR  Findings  from  2005-­‐2010  

Does  your  practice  have  a  Designated  HIPAA  Privacy  

Officer?  

 

—  Failure  to  demonstrate  adequate  policies  and  

procedures  or  safeguards  to  address  response  and  

reporting  of  security  incidents    

—  Security  awareness  and  training    

—  Access  controls    

—  Information  access  management    

—  Work  station  security  

(8)

HIPAA  Privacy  Rule    

45  CFR  Part  160  and  Part  164,  Subparts  A  and  E.  

— 

Designate  a  HIPAA  Privacy  Officer  

— 

Update  your  Notice  of  Privacy  Practices  

http://www.hhs.gov/ocr/

privacy/hipaa/understanding/coveredentities/contractprov.html  

— 

New  additional  patient  rights  related  to  Privacy  of  their  

information  and  their  access  to  it.  

— 

Conduct  Compliance  Audits  

— 

Conduct  Annual  Training  of  Staff  on  Privacy  Rule  

policies  and  procedures  

— 

Document  all  disclosures  according  to  the  Privacy  Rule.  

(9)

HIPAA  Security  Rule    

45  CFR  Part  160  and  Part  164,  Subparts  A  and  E.  

— 

Accountability,  Penalty,  and  Persecution  for  disclosure  

of/access  to  ePHI  

— 

Protecting  ePHI  at  rest,  in  transit,  and  in  destruction.  

— 

Breach  Reporting  

— 

Auditing  

—  3  sets  of  Safeguards    (standards)  

— 

Administrative    

— 

Physical  

— 

Technical  

 

(10)

BREACH  NOTIFICATION  RULE  

HITECH  ACT  SECTION  13402  

—  Definition  of  a  “Breach”.              

A  breach  is,  generally,  an  impermissible  use  or  disclosure  under  the  

Privacy  Rule  that  compromises  the  security  or  privacy  of  the  protected   health  information  such  that  the  use  or  disclosure  poses  a  significant  risk   of  financial,  reputational,  or  other  harm  to  the  affected  individual.  

—  Requirements    

Following  a  breach  of  unsecured  protected  health  information  covered   entities  must  provide  notification  of  the  breach  to  affected  individuals,   the  Secretary  of  HHS  and,  in  certain  circumstances,  to  the  media.    In   addition,  Business  Associates  must  now  notify  covered  entities  of  a   breach  if  it  occurred  due  to  their  actions  or  processes.  

 

(11)

BREACH  NOTIFICATION  RULE  

—  Individual  Notice    -­‐  within  60  days  of  breach  

— 

First  class  mail      

—  Include  description  of  the  breach,  description  of  the  data   involved,    Protective  steps    for  individuals,    an  action  plan  to   resolve,  mitigate  and  prevent  further  breaches.  

— 

For  unknown  or  out  of  date  information  on  affected  

individuals.  Notification  should  be  done  via  an  

announcement  on  Covered  Entities  Website  or  in  local  

media  where  the  affected  individual  resides.  

—  Media  Notice    -­‐  within  60  days  of  breach  

— 

For  Breaches  of  more  than  500  patients  

—  Include  description  of  the  breach,  description  of  the  data   involved,  Protective  actions  for  individuals,  Action  plan  to   resolve,  mitigate  and  prevent  further  breaches.  

(12)

BREACH  NOTIFICATION  RULE  

—  Notice  to  Secretary  of  Health  and  Human  Services  

— 

For  breaches  of  less  than  500  individuals  

—  File  a  report  on  HHS  website  annually  

— 

For  breaches  of  more  than  500  individuals  

—  File  a  report  on  the  HHS  website  within  60  of  the  breach.  

—  Notification  by  Business  Associates    

— 

Business  Associates  required  to  notify  the  Covered  Entity  

upon  discovery  of  any  breach  within  60  days  

— 

Business  associate  should  provide  the  covered  entity  with  

the  identification  of  each  individual  affected  by  the  breach  as  

well  as  any  information  required  to  be  provided  by  the  

covered  entity  in  its  notification  to  affected  individuals  

(13)

DocumentaUon  

—  HIPAA  Privacy  Rule  Policies  and  Procedures  

—  Accounting  of  disclosures    

—  Notice  of  Privacy  Practices  

—  Record  of  periodic  workforce  training  

 

—  HIPAA  Security  Rule  Policies  and  Procedures  

—  Documentation  of  periodic  risk  assessments  

—  Record  of  Security  Audits  

—  Record  of  periodic  workforce  training  

(14)

AudiUng  

—  Need  to  have  written  policies  and  procedures  stating  

how  often  and  what  you  will  be  monitoring,  reviewing    

—  Audit  Logs  

—  Access  Reports  

—  Security  incident  tracking  reports.  

—  Documentation  of  user  access  roles  and  granting/

revocation  of  access  upon  termination  or  change  in  

user  role.  

(15)

HIPAA  Audits  Protocol  

http://www.hhs.gov/ocr/privacy/hipaa/enforcement/

audit/protocol.html  

—  78  Privacy  Rule  Audit  protocols  

—  77  Security  Rule  Audit  protocols  

—  10  Breach  Notification  Rule  Audit  protocols  

 

(16)

A  Few  Last  Thoughts  

—  Form  a  TEAM  at  your  practice,  Include  one  member  

from  each  area,  Providers,  Nursing,  Billing,  front  desk  

—  Perform  a  Risk  Assessment  to  identify  how  ePHI  is  

created,  used,  transmitted,  and  disposed  of.  

—  Designated  a  HIPAA  Privacy  and  Security  Officer  

—  Create  and  Maintain  Updated  policies  and  procedures  

—  Develop  and  document  your  practice’s  Breach  

Notification  procedures  

—  Periodically  monitor  your  systems  (Audit)  

—  Consider  Email  encryption  if  you  need  to  email  ePHI  

(17)

Resources  

—  HIPAA  Privacy  Rule  

http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/

index.html  

—  HIPAA  Security  Rule  

http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/

index.html  

—  HIPAA  Breach  Notification  Rule  

http://www.hhs.gov/ocr/privacy/hipaa/administrative/

breachnotificationrule/index.html  

—  HIPAA  Audit  Protocols  

http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/

protocol.html    

—  HIPAA  Consultants  (education,  training,  consulting)  

—  HCPRO  Blogs  -­‐http://blogs.hcpro.com/hipaa/    

—  ecFirst  -­‐  http://www.ecfirst.com/    

—  Clearwater  Compliance  -­‐  http://clearwatercompliance.com/    

Figure

Updating...

References

Related subjects :