• No results found

INFORMATION SECURITY & HIPAA COMPLIANCE MPCA

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "INFORMATION SECURITY & HIPAA COMPLIANCE MPCA"

Copied!
9
0
0

Loading.... (view fulltext now)

Download now ( 9 Page )

Full text

(1)

INFORMATION SECURITY & HIPAA COMPLIANCE

MPCA Annual Conference August 5, 2013

Agenda

2

HIPAA 1

Internal Compliance 3

2 The New Healthcare Paradigm

Conclusion 4

3

HIPAA 1

(2)

Earning Their Trust

HIPAA

5

Health Insurance Portability & Accountability Act (HIPAA)

 Privacy – individuals’ rights of privacy and Standard

 Security – security of ePHI

 Breach Notification – reporting breach information

Sets standards to assure the Confidentiality, Integrity, and Availability of PHI

HIPAA

6

PHI and Personally Identifiable Information

 Any information (verbal, electronic, or written) that relates to a person’s physical or mental health or payment information

Name

Postal Address

All elements of Date

Telephone Number

Fax Number

Email Address

URL

IP Address

Social Security Number

Account Numbers

License Number

Medical Record Number

Health Plan Number

Device Identifier

Vehicle Identifier

Biometric Identifier

Full-face Photos

Any other unique identifying number

Genetic information

(3)

HIPAA – Privacy Rule

7

Establishes rights of privacy and standards for disclosure

Permitted Disclosures

 Personal Representatives

 Treatment, Payment and Healthcare Operations

 Written Authorization/Verbal Consent

 De-identified Data

Required Disclosures

 Public Health Activities

 Law Enforcement

Verification Requirements

Notice of Privacy Practices

HIPAA – Security Rule

8

Requires control measures to safeguard the confidentiality, integrity and availability of electronic Protected Health Information (ePHI)

Organizational Requirements – Business Associate Agreements (BAAs)

Security Standards 1. Administrative 2. Physical 3. Technical

Security Management Process

Information Access Management

Security Awareness and Training

HIPAA – Breach Notification Rule

9

Requires notifications to authorities and patients when unsecured PHI has been breached

Defines Breach as the impermissible use or disclosure that compromises the security and privacy of unsecured PHI

Exceptions

1. Unintentional Acquisition by a workforce member 2. Inadvertent Disclosure between workforce members 3. Recipient can not reasonably retain the information

Unsecured PHI – is PHI that has not been rendered unreadable or indecipherable to unauthorized persons

(4)

HIPAA – Omnibus Final Rule

10

Released on January 17, 2013; effective on March 26, 2013;

and Compliance required by September 23, 2013.

Broadened the definition of a Business Associate &

Subcontractors

Direct and Expanded Liabilities for Privacy and Security Rules

Civil Monetary Penalties (capped at $1.5 million for all) 1. Did not know - $100 - $50,000/violation,

2. Reasonable Cause - $1,000 - $50,000/violation, 3. Willful Neglect – Corrected - $10,000 - $50,000 4. Willful Neglect – Not Corrected - $50,000

HIPAA – Omnibus Final Rule

11

“Breach” is now defined as impermissible use or disclosure of PHI.

Established four tests for Risk Assessment following a breach:

1. Nature and Extent of PHI

2. Party to Whom PHI may have been disclosed 3. Actual or Possible viewing or acquisition of PHI 4. Extent to which Risk to PHI has been Mitigated

 Breach Notification is now necessary in all situations except where low probability of compromise is shown.

 Individual Rights of Access

HIPAA – Omnibus Final Rule

Disclosures not Requiring Authorization

 TPO

 Public Health and Legal Requirements

Required modifications to Notice of Privacy Practices 1. Authorization required for:

Most uses and disclosures of psychotherapy notes

Uses and disclosures for marketing purposes

Disclosures that constitute a sale of PHI

Other uses or disclosures not described in the NPP

2. Individual Rights to Authorize or Restrict Disclosure 3. Provider may choose not to comply with a restriction request 4. Notify individuals of breaches of their PHI

(5)

13

2 The New Healthcare Paradigm

The New Healthcare Paradigm

14

15

Internal Compliance 3

(6)

Internal Compliance Framework

16

Define Boundary

Assess Risk

Plan Corrective Actions Implement

Control Measures Train Employees

Internal Compliance Framework

17

Information Security Policy & Technical Controls

1. Organization of Information Security 2. Acceptable Use

3. Access controls & Physical Security 4. Secure Software & Malicious Code 5. Management & Exchange of Information 6. Security Incident Management 7. Breach Notification 8. Workforce Security 9. Sanctions

10. Security Awareness and Training 11. Business Continuity & Disaster Recovery

Proper Conduct and Authorized Disclosures

3 2

1

Internal Compliance Framework

1. Organization & Management of Information Security

1. Compliance Officer is designated 2. Acceptable Use

1. Proper Use: No sharing of user credentials, leaving passwords on sticky notes

2. Removable media

3. Access Control & Physical Security 1. Unique and Secure Credentials 2. Job functions, need to know, and

Minimum Necessary 3. Logoff when leaving work area 4. Visitor logs

(7)

Internal Compliance Framework

19

Internal Compliance Framework

20

4. Secure Software & Malicious Code 1. Only authorized software is allowed 5. Management & Exchange of Health

Information

1. Modification of PHI must be for authorized purposes

2. Sending PHI via electronic means must be secure

6. Security Incident Management 1. Breach of Security or Privacy 2. Incident Report Form

Internal Compliance Framework

21

7. Breach Notification 1. Clients and/or Patients 2. Apply the four tests 8. Workforce Security

1. Background verification 9. Sanctions

1. Accountability

(8)

Impacts of Non-Compliance

22

Regulatory Fines

Reputational Damage

Legal Actions

Loss of Business

Current Examples

23

Hospice of North Idaho - $50,000

Massachusetts Eye and Ear Associates Inc. - $1.5 Million

River Falls Medical Clinic – 2,400 Patient Records stolen

Shands Jacksonville Clinic – 261 Patient Records photographed

Goldthwait Associates, a Billing Service Provider - $140,000

Phoenix Cardiac Surgery, P.C. - $100,000

WellPoint – 612,402 records - $1.7 Million

Conclusion 4

(9)

25

HIPAA seeks to protect the:

1. Confidentiality 2. Integrity 3. Availability of PHI

Compliance is not optional

1. Privacy, Security, Breach Notification Rules 2. Information Security Control Measures

Understand your Role

Earn and Maintain the Trust of your clients

Conclusion

Questions

26

27

Xcellent Technologies 43155 Main Street Suite 2210-D Novi, MI 48375 (248) 956.0538 [email protected] http://www.xcellenttechnologies.com

References

Download now ( PDF - 9 Page - 444.40 KB )

Related documents

HIPAA Privacy, Security, Breach, and Meaningful Use. CHUG October 2012

“Breach” means unauthorized access, acquisition, use or disclosure of protected health information which compromises the security or privacy of that information. • Paper

Compliance HIPAA Training. Steve M. McCarty, Esq. General Counsel Sound Physicians

• To comply with HIPAA, Sound has adopted policies and procedures that comply with HIPAA’s privacy, security and breach of unsecured PHI notification requirements.. • These

Five Rivers Medical Center, Inc Medical Center Drive Pocahontas, AR Notification of Security Breach Policy

Breach means a use or disclosure of protected health information ("PHI") in a manner not permitted under the HIPAA Privacy Rule, which poses a significant risk of

New privacy and security requirements increase potential legal liability and jeopardize brand reputation.

A protected health information (PHI) data breach is any unauthorized use, access or disclosure of PHI that violates the HIPAA Privacy Rule and poses significant financial,

HIPAA Data Breaches: Managing Them Internally and in Response to Civil/Criminal Investigations

 Collect and provide all requested documents, as well as such documents as may demonstrate the entity’s compliance with the HIPAA Privacy, Security, and Breach Notification Rule. 

The Dish on Data and Disks HIPAAPrivacy and Security Breach Developments. Robin B. Campbell Ethan P. Schulman Jennifer S. Romano

– HHS has determined that “compromises the security or privacy of the protected health information” means that the breach poses a “significant risk of financial, reputation,

Information Privacy and Security Program. Title: EC.PS.01.02

Except as described in Step 2, an acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted under the Privacy Rule is presumed to be a breach

HIPAA Workshop Ensuring PHI: Creating a Comprehensive Office Policy

An impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of protected health information.. ■ The covered entity or BA demonstrates there is