hipaa compliance: implementation tips for providers · 2018-12-13 · hipaa does not prohibit the...
TRANSCRIPT
![Page 1: HIPAA Compliance: Implementation Tips for Providers · 2018-12-13 · HIPAA does not prohibit the use of email for transmitting PHI, and it does not require that the email be encrypted…](https://reader033.vdocuments.site/reader033/viewer/2022060314/5f0b94857e708231d4313636/html5/thumbnails/1.jpg)
Welcome to ChiroCare’s Fourth Annual Fall
Business Summit
October 3, 2013
![Page 2: HIPAA Compliance: Implementation Tips for Providers · 2018-12-13 · HIPAA does not prohibit the use of email for transmitting PHI, and it does not require that the email be encrypted…](https://reader033.vdocuments.site/reader033/viewer/2022060314/5f0b94857e708231d4313636/html5/thumbnails/2.jpg)
HIPAA Compliance Regulatory Overview & Implementation Tips for Providers
![Page 3: HIPAA Compliance: Implementation Tips for Providers · 2018-12-13 · HIPAA does not prohibit the use of email for transmitting PHI, and it does not require that the email be encrypted…](https://reader033.vdocuments.site/reader033/viewer/2022060314/5f0b94857e708231d4313636/html5/thumbnails/3.jpg)
Agenda
Green packet
Overview of general HIPAA terms and concepts o Privacy
o Security
o Breach Notification
Important changes in the Final Omnibus Rule (effective 9/23/13)
Implementing the rules in a small provider office
Top 10 list for implementation
![Page 4: HIPAA Compliance: Implementation Tips for Providers · 2018-12-13 · HIPAA does not prohibit the use of email for transmitting PHI, and it does not require that the email be encrypted…](https://reader033.vdocuments.site/reader033/viewer/2022060314/5f0b94857e708231d4313636/html5/thumbnails/4.jpg)
Covered Entity
Business Associate
Protected Health Information
Treatment, Payment, Health Care Operations
Permissive Disclosures
Minimum Necessary
Individual Rights (notice of privacy practices, access, amendment, accounting of disclosures,)
HIPAA Privacy Rule: Concepts
4
![Page 5: HIPAA Compliance: Implementation Tips for Providers · 2018-12-13 · HIPAA does not prohibit the use of email for transmitting PHI, and it does not require that the email be encrypted…](https://reader033.vdocuments.site/reader033/viewer/2022060314/5f0b94857e708231d4313636/html5/thumbnails/5.jpg)
HIPAA protects Protected Health Information (PHI)
PHI is:
o Health information that identifies an individual or could be reasonably used to identify an individual;
o Is created or received by a Covered Entity; and
o Relates to the past, present or future health condition of an individual. This includes
The provision of health care services; and
Payment for the provision of services.
HIPAA Privacy Rule: PHI Refresher
5
![Page 6: HIPAA Compliance: Implementation Tips for Providers · 2018-12-13 · HIPAA does not prohibit the use of email for transmitting PHI, and it does not require that the email be encrypted…](https://reader033.vdocuments.site/reader033/viewer/2022060314/5f0b94857e708231d4313636/html5/thumbnails/6.jpg)
Examples of PHI include:
o Treatment notes and other clinical documentation
o Names, addresses, telephone numbers
o Date (e.g., birth dates, treatment dates)
o Email addresses
o SSNs, medical record numbers, health plan ID numbers
o Biometric identifies
o Photographs of the individual
HIPAA Privacy Rule: PHI Refresher
6
![Page 7: HIPAA Compliance: Implementation Tips for Providers · 2018-12-13 · HIPAA does not prohibit the use of email for transmitting PHI, and it does not require that the email be encrypted…](https://reader033.vdocuments.site/reader033/viewer/2022060314/5f0b94857e708231d4313636/html5/thumbnails/7.jpg)
Permissive disclosures without authorization include: o Treatment: The provision, coordination or management of
health care by one or more health care providers
o Payment: Activities of health care providers to obtain payment or be reimbursed for services; or activities of health plans to obtain premiums, fulfill coverage responsibilities, or provide reimbursement for the provision of health care
o Health Care Operations: Activities necessary to run the business and to support the core functions of treatments and payment (e.g., administrative, financial, legal, quality improvement activities, credentialing/licensing, fraud and abuse detection)
HIPAA Privacy Rule – Uses and Disclosures
7
![Page 8: HIPAA Compliance: Implementation Tips for Providers · 2018-12-13 · HIPAA does not prohibit the use of email for transmitting PHI, and it does not require that the email be encrypted…](https://reader033.vdocuments.site/reader033/viewer/2022060314/5f0b94857e708231d4313636/html5/thumbnails/8.jpg)
HIPAA limits uses and disclosures of PHI
Three general categories of uses and disclosures:
oUses and disclosures that do not require authorization
oUses and disclosures that require the opportunity to agree or object
oUses and disclosures that require authorization
Types of Disclosures
8
![Page 9: HIPAA Compliance: Implementation Tips for Providers · 2018-12-13 · HIPAA does not prohibit the use of email for transmitting PHI, and it does not require that the email be encrypted…](https://reader033.vdocuments.site/reader033/viewer/2022060314/5f0b94857e708231d4313636/html5/thumbnails/9.jpg)
The following disclosures may be made without patient authorization, provided that all requirements in the Privacy Rule are met prior to release:
o Public health activities
o Health oversight activities
o Law enforcement
o Organ & tissue donation
o Averting serious threats to public safety
o Workers’ compensation
o Reporting abuse & neglect
o Legal proceedings
o Information about decedents
o Research
o Specialized government functions
Uses/Disclosures without Authorization
9
![Page 10: HIPAA Compliance: Implementation Tips for Providers · 2018-12-13 · HIPAA does not prohibit the use of email for transmitting PHI, and it does not require that the email be encrypted…](https://reader033.vdocuments.site/reader033/viewer/2022060314/5f0b94857e708231d4313636/html5/thumbnails/10.jpg)
Notice of Privacy Practices – update to reflect uses/disclosures
Business Associate (BA) Agreements – update to reflect BA direct liability
Individual Access – electronic access, off-site record storage
Breach Notification – changes to breach “standard”
Restrictions on disclosing PHI to health plans when requested for private pay services
Changes in the Final Omnibus Rule that Impact Providers
10
![Page 11: HIPAA Compliance: Implementation Tips for Providers · 2018-12-13 · HIPAA does not prohibit the use of email for transmitting PHI, and it does not require that the email be encrypted…](https://reader033.vdocuments.site/reader033/viewer/2022060314/5f0b94857e708231d4313636/html5/thumbnails/11.jpg)
Marketing and fundraising
Requesting restrictions – communication and private pay services
Requesting electronic records
Inform patients of breach notification
Limit on use of genetic information
Updates to Notice of Privacy Practices
11
![Page 12: HIPAA Compliance: Implementation Tips for Providers · 2018-12-13 · HIPAA does not prohibit the use of email for transmitting PHI, and it does not require that the email be encrypted…](https://reader033.vdocuments.site/reader033/viewer/2022060314/5f0b94857e708231d4313636/html5/thumbnails/12.jpg)
Breach notification applies to Unsecured PHI
Risk of harm standard eliminated!
New standard: presume breach of unsecured PHI unless the entity is able to demonstrate and document a low probability that the PHI has been compromised.
Must use 4-factor risk assessment:
o Nature and extent of PHI involved.
o The unauthorized person who received the PHI.
o Whether the PHI was actually acquired or viewed.
o The extent to which the risk to the PHI has been mitigated.
o Other factors may be added to the assessment based on facts of suspected breach.
Breach Notification Changes
12
![Page 13: HIPAA Compliance: Implementation Tips for Providers · 2018-12-13 · HIPAA does not prohibit the use of email for transmitting PHI, and it does not require that the email be encrypted…](https://reader033.vdocuments.site/reader033/viewer/2022060314/5f0b94857e708231d4313636/html5/thumbnails/13.jpg)
Document the risk assessment!
Determine if a breach has occurred.
If so, make proper individual notification.
Log breach for annual report to HHS.
If breach affects 500+ patients, fulfill additional media and government notification requirements immediately.
Breach Notification Changes (cont’d)
13
![Page 14: HIPAA Compliance: Implementation Tips for Providers · 2018-12-13 · HIPAA does not prohibit the use of email for transmitting PHI, and it does not require that the email be encrypted…](https://reader033.vdocuments.site/reader033/viewer/2022060314/5f0b94857e708231d4313636/html5/thumbnails/14.jpg)
Security Rule Compliance is becoming increasingly important.
Threats to electronic data are increasing (laptops, smartphones, additional data stored electronically, use of vendors).
Risk Assessment must be conducted to comply with the rule:
o Physical safeguards
o Technical safeguards
o Administrative safeguards
Security Rule Overview
14
![Page 15: HIPAA Compliance: Implementation Tips for Providers · 2018-12-13 · HIPAA does not prohibit the use of email for transmitting PHI, and it does not require that the email be encrypted…](https://reader033.vdocuments.site/reader033/viewer/2022060314/5f0b94857e708231d4313636/html5/thumbnails/15.jpg)
HIPAA Enforcement Overview
15
Individuals, not just CEs, can be subject to criminal penalties for wrongful disclosure of PHI.
State attorney general (AG) can bring civil actions (no State action if Health and Human Services [HHS] has instituted an action for the same violation).
Civil monetary penalties were increased:
![Page 16: HIPAA Compliance: Implementation Tips for Providers · 2018-12-13 · HIPAA does not prohibit the use of email for transmitting PHI, and it does not require that the email be encrypted…](https://reader033.vdocuments.site/reader033/viewer/2022060314/5f0b94857e708231d4313636/html5/thumbnails/16.jpg)
First audits occurred 2011-2012.
115 have been performed (health plans, providers, and clearing houses)
Scope of audits includes:
o Privacy
o Security
o Breach Notification
HIPAA Audits
16
![Page 17: HIPAA Compliance: Implementation Tips for Providers · 2018-12-13 · HIPAA does not prohibit the use of email for transmitting PHI, and it does not require that the email be encrypted…](https://reader033.vdocuments.site/reader033/viewer/2022060314/5f0b94857e708231d4313636/html5/thumbnails/17.jpg)
Audit Findings:
o 60 percent of findings were security based
58 of 59 provider entities had at least one finding
No risk assessment in 2/3 of entities
o 30 percent of findings were privacy-based
o 10 percent of findings were breach-based
o Providers had a greater proportion of total findings
o Small entities struggled with all three review areas.
HIPAA Audits
17
![Page 18: HIPAA Compliance: Implementation Tips for Providers · 2018-12-13 · HIPAA does not prohibit the use of email for transmitting PHI, and it does not require that the email be encrypted…](https://reader033.vdocuments.site/reader033/viewer/2022060314/5f0b94857e708231d4313636/html5/thumbnails/18.jpg)
Causes of the findings –
o In 30 percent of findings the entities were unaware of the requirement
o Other causes included the following:
Lack of application of sufficient resources
Incomplete implementation
Complete disregard
HIPAA Audits
18
![Page 19: HIPAA Compliance: Implementation Tips for Providers · 2018-12-13 · HIPAA does not prohibit the use of email for transmitting PHI, and it does not require that the email be encrypted…](https://reader033.vdocuments.site/reader033/viewer/2022060314/5f0b94857e708231d4313636/html5/thumbnails/19.jpg)
Privacy administrative findings
HIPAA Audits
19
Source: DHHS OCR, “ Lessons Learned from OCR Privacy and Security Audits,”
Presentation at IAPP Global Privacy Summit (03/07/13)
![Page 20: HIPAA Compliance: Implementation Tips for Providers · 2018-12-13 · HIPAA does not prohibit the use of email for transmitting PHI, and it does not require that the email be encrypted…](https://reader033.vdocuments.site/reader033/viewer/2022060314/5f0b94857e708231d4313636/html5/thumbnails/20.jpg)
Privacy uses and disclosures
HIPAA Audits
20
Source: DHHS OCR, “ Lessons Learned from OCR Privacy and Security Audits,”
Presentation at IAPP Global Privacy Summit (03/07/13)
![Page 21: HIPAA Compliance: Implementation Tips for Providers · 2018-12-13 · HIPAA does not prohibit the use of email for transmitting PHI, and it does not require that the email be encrypted…](https://reader033.vdocuments.site/reader033/viewer/2022060314/5f0b94857e708231d4313636/html5/thumbnails/21.jpg)
Security elements
HIPAA Audits
21
Source: DHHS OCR, “ Lessons Learned from OCR Privacy and Security Audits,”
Presentation at IAPP Global Privacy Summit (03/07/13)
![Page 22: HIPAA Compliance: Implementation Tips for Providers · 2018-12-13 · HIPAA does not prohibit the use of email for transmitting PHI, and it does not require that the email be encrypted…](https://reader033.vdocuments.site/reader033/viewer/2022060314/5f0b94857e708231d4313636/html5/thumbnails/22.jpg)
1. Develop privacy policies.
Document policies and procedures, including steps to take when a breach occurs.
Consider “how” PHI is used in office when developing policies (sign in sheets, using names in waiting room, photographs of patients in office, etc.)
2. Appoint privacy and security officers.
Could be the same or different individuals.
This person should be conversant in all HIPAA regulations and policies.
Top 10 Implementation Steps
22
![Page 23: HIPAA Compliance: Implementation Tips for Providers · 2018-12-13 · HIPAA does not prohibit the use of email for transmitting PHI, and it does not require that the email be encrypted…](https://reader033.vdocuments.site/reader033/viewer/2022060314/5f0b94857e708231d4313636/html5/thumbnails/23.jpg)
3. Conduct regular security risk assessments. Identify vulnerabilities
Take steps to minimize risk
4. Adopt email policies. HIPAA does not prohibit the use of email for transmitting
PHI, and it does not require that the email be encrypted… however, encryption is a “safe harbor”/best practice
If unable to encrypt email, make sure your patients are aware of the risks they are facing by asking for health information over email
Top 10 Implementation Steps
23
![Page 24: HIPAA Compliance: Implementation Tips for Providers · 2018-12-13 · HIPAA does not prohibit the use of email for transmitting PHI, and it does not require that the email be encrypted…](https://reader033.vdocuments.site/reader033/viewer/2022060314/5f0b94857e708231d4313636/html5/thumbnails/24.jpg)
5. Adopt mobile device policies.
Adopt strict policies regarding storage of PHI on portable electronic devices
Regulate the removal of these devices from the premises
OCR Guidance – Risk Assessments, Policies, Training, etc.:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/remoteuse.pdf
Top 10 Implementation Steps
24
![Page 25: HIPAA Compliance: Implementation Tips for Providers · 2018-12-13 · HIPAA does not prohibit the use of email for transmitting PHI, and it does not require that the email be encrypted…](https://reader033.vdocuments.site/reader033/viewer/2022060314/5f0b94857e708231d4313636/html5/thumbnails/25.jpg)
6. Conduct training.
Train all employees who use or disclose PHI (initial and annual)
Document the training
7. Develop Notice of Privacy Practices.
Publish and distribute to all patients
Display on the organization’s website
Obtain acknowledgment of receipt from all patients
Top 10 Implementation Steps
25
![Page 26: HIPAA Compliance: Implementation Tips for Providers · 2018-12-13 · HIPAA does not prohibit the use of email for transmitting PHI, and it does not require that the email be encrypted…](https://reader033.vdocuments.site/reader033/viewer/2022060314/5f0b94857e708231d4313636/html5/thumbnails/26.jpg)
8. Enter into valid business associate agreements.
9. Adopt suspected breach protocols.
Document the investigation
Conduct the required risk assessment to determine if a breach has occurred
Notify the appropriate parties
Top 10 Implementation Steps
26
![Page 27: HIPAA Compliance: Implementation Tips for Providers · 2018-12-13 · HIPAA does not prohibit the use of email for transmitting PHI, and it does not require that the email be encrypted…](https://reader033.vdocuments.site/reader033/viewer/2022060314/5f0b94857e708231d4313636/html5/thumbnails/27.jpg)
10. Implement policies.
Don’t just have policies, use them!
Create a culture of compliance.
Sanction employees who violate policies.
Top 10 Implementation Steps
27
![Page 28: HIPAA Compliance: Implementation Tips for Providers · 2018-12-13 · HIPAA does not prohibit the use of email for transmitting PHI, and it does not require that the email be encrypted…](https://reader033.vdocuments.site/reader033/viewer/2022060314/5f0b94857e708231d4313636/html5/thumbnails/28.jpg)
Thank you!
Questions?
28