Embed Size (px)
Citation preview
ArchCareHIPAA Compliance Training
Learning Objectives
After this course and presentation,you the participant will be able to:
Recall the definition of the term HIPAA.
Recall the different provision of the law contained inHIPAA regulations.
Recall how HIPAA affects our organization and eachindividual associate.
Define what Protected Health Information is.
Identify protected health Information.
Recall the meaning of the term PHI.
Safeguard Health Protected Information.
Recall key components of the Privacy and
Security Policy.
Purpose of this Course
This HIPAA training program has beendeveloped to give you information andtraining concerning the:
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
HIPAA affects the way we handle specific client data
It is our responsibility to ensure that any Protected HealthInformation (PHI) is safeguarded and not disclosed while in ourpossession.
This course has been developed to help you learn the basics aboutHIPAA.
We appreciate your effort in helping us become HIPAA ready.
What is HIPAA?
A Federal Law enacted in 1996
Acronym for – “Health Insurance Portability andAccountability Act
Enacted to safeguard Protected Health Information
Contains severe penalties for both intentional andunintentional violations
Contains guidelines for confidentialityof PHI (Protected Health Information)
The privacy portion of HIPAA becameeffective April 14, 2003
Mandates uniform standards andformats for electronic healthinformation and code sets for routinetypes of health transactions
What is HIPAA?
How does HIPAA affect ArchCare &You? We all must abide by certain rules and
regulations that protect the privacy andhealthcare information, particularlyProtected Health Care Information (PHI)
This information may come to us in theform of databases, patient informationsheets or electronically
HIPAA policies and procedures havebeen developed to specify how we willsafeguard PHI while it is in our areas
6
What is Protected Information?
Protected Information
Name
Address
SSN
Clinical Notes
Etc
It may come in
Emails
Faxes
Othercorrespondence
What actions must we take to safeguard mediacontaining PHI?
A key word in the HIPAA regulations is ‘REASONABLE’
REASONABLE steps
REASONABLE effort
Our policies and procedures contain reasonable steps tomeet the rules and regulations of the HIPAA PrivacyStandard
What are reasonable safeguards?
All established procedures foryour department must befollowed in handling andsafeguarding PHI in any form,including from an FTP site,electronically, or media(Portable Hard Drives, iPads,tablets, laptops, DVDs, CDs,tapes, CD-ROMs, etc.)
PHI should NEVER be leftopen, accessible or in plainview.
Penalties for Non-Compliance?
Employees are tounderstand HIPAAand also take itseriously
CMS, AHCA and theOIG have outlinedsevere penalties forHIPAA violations
What are the Penalties?
Unintentional Disclosure
As the law is now written,the penalty is $100 peroccurrence
Disciplinary action will betaken, up to and includingtermination.
What are the Penalties?
Intentional Disclosure A fine of up to $250,000 may be imposed with the possibility of
10 years in prison An employee’s employment with the company will be terminated.
What to do?
Immediately notify yourSupervisor
What is a business associate?
A person or organization thatperforms a function on behalf ofa covered entity (our doctors,for example) but is not part ofthe entity’s (the doctor’s)workforce.
Any organization that handles adoctor’s PHI, regardless offormat, is considered his or herBusiness Associate.
What is a BAA?
Business AssociateAgreement
The HIPAA PrivacyStandard permitsdisclosure of PHI toBusiness Associates ofthe doctor’s PHI afterobtaining a satisfactoryBAA from the businessassociate.
Do Doctors Need a BAA?
Short Answer: Yes
Business Associate Agreement
Will all Entities Require a BAA?
YES!
HIPAA Actions at ArchCare
Compliance Officer
Policies and Procedures
Implementing Rules and Regulations
Example of HIPAA
Summary of HIPAA Standard Rule
The summary of the HIPAA Security Standards Rule begins:
This final rule adopts standards for the security of electronicprotected health information to be implemented by health plans,health care clearinghouses, and certain health care providers. Theuse of the security standards will improve the Medicare andMedicaid programs, and other Federal health programs and privatehealth programs, and the effectiveness and efficiency of the healthcare industry in general by establishing a level of protection forcertain electronic health information.
This final rule implements some of the requirements of theAdministrative Simplification subtitle of the Health InsurancePortability and Accountability Act of 1996 (HIPAA).
Purpose and Rationale
What is the Purpose?
The Security Standards rule is to adopt national standards forsafeguards to protect the confidentiality, integrity, and availability ofelectronic protected health information.
WHY?
Because there were no standard measures existing in the healthcare industry that addressed all aspects of the security of electronicprotected health information while it is in use, in storage, or duringthe exchange of that information between entities.
Because HIPAA mandated security standards to protect anindividual's health information, while permitting the appropriateaccess and use of that information by health care providers,clearinghouses, and health plans.
What does enforcement look like?
The enforcementprocess for HIPAAtransactions andcode will beprimarily complaintdriven.
Process
Upon receipt of a complaint, CMSwill notify the provider of thecomplaint, and the provider wouldhave the opportunity to demonstratecompliance, or to submit acorrective action plan.
If Then
The providerdoes neither
CMS will havethe discretionto imposepenalties
Privacy versus Security under HIPAA
PHI in paper, oral and
electronic form
Privacy Security
Only electronic PHI
Extend to the personnel of a
covered entity even if they
work at home
Minimum level of
documentation that must be
retained for 10 years
More About the Security Rule
The Security Rule requires
Covered Entities to conduct a
Risk Analysis of their electronic
equipment and to develop
policies and procedures to
protect PHI on these systems.
Key PointBreakdown of HIPAASecurity Standards
•Technical (21%):
•4 Required
•5 Addressable
•Administrative (55%)
•12 Required
•11 Addressable
•Physical (24%)
•4 Required
•6 Addressable
Addressable Implementation Specifications
Covered entities must assess if animplementation specification is reasonableand appropriate based on such factors as:
Risk Analysis
Security Controls
The Cost of Implementation
Addressable Implementation SpecsIf Then
The implementationspecification isdetermined to bereasonable andappropriate,
The covered entity should implement it
If the implementationis not reasonable andappropriate,
Then the covered entity should:
Step Action
1 Document why it would not be reasonable to implement
2 Implement an equivalent alternative measure if reasonable andappropriate
3 Do not implement and explain, in detail, why, in your documentation
Policy and Procedure
Implement reasonable and appropriate policies and procedures tocomply with the standards, implementation specifications, or otherrequirements of this subpart, taking into account those factorsspecified in §164.306(b)(i),(ii),(iii) and (iv)
This standard is not to be construed to permit or excuse an actionthat violates any other standard, implementation spec or otherrequirements of this subpart
A covered entity may change its policies and procedures at anytime, provided that the changes are documented and areimplemented in accordance with this subpart.
HIPAA Security Policy
Sanction Policy An employee who inadvertently leads to the
compromising or breach of ePHI will receivethe following sanctions: 1st occurrence – verbal warning from supervisor 2nd occurrence – written warning from supervisor
and copy of warning put in the employee’s officialcompany file
Additional occurrences – suspension or otheractions up to an including termination ofemployment
HIPAA Security Rules Policies (Cont)
Access Authorization Policy:
1. Access to information must be grantedbased on an individual’s job responsibilities.
2. Access control features, where available,must be implemented to allow users accessto only the data and functions required toperform their duties.
HIPAA Security Rules Policies (Cont)
Protection from Malicious Software Policy:Applies to: All PCs (desk tops, lap tops) Servers Internet gateways Email servers Smart phones, iPads, tablets
What to do if you have a virus?
NOTE: Backup copies of production software and data will be readily available in theevent that a computer needs to be restored due to a virus
HIPAA Security Rules Policies (Cont)
Password Management Policy:
Unique User ID
Passwords must be kept in confidence
Do NOT write any password on a sticky noteand post it in your work area!
Unacceptable passwords include: ‘password’,‘1234’, ‘first initial last name’, ‘qwerty’,birthdays, children’s names and many others
Complete sentences are the best passwords
HIPAA Security Rules Policies (Cont)
Security Incident Procedures:
If Then
A breach of a systemor unintentionalrelease of electronicPHI occur
Immediate notification of the HIPAA ComplianceOfficer, which is the same as your entity ComplianceOfficer• Actions will be taken immediately by appropriate
department to minimize the damage done by thebreach or disclosure. Appropriate individuals willcomplete the Incident Report Form.
Note
• All actions taken by an employee concerning this incident will be welldocumented and copies provided to the HIPAA Compliance Officer
• All actions taken will be completely documented
HIPAA Security Rules Policies (Cont)
Access Control and Validation Procedures
An I.D./access badge will be issued to eachemployee.
The access badge must be worn at all times whileon Company property.
When employment ends, the access badge must bereturned immediately. The badge must be deletedfrom the access system immediately.
HIPAA Security Rules Policies (Cont)
Workstation Use and Security Policies:
All employees will implement workstationlocking with screen save on all computers:
When walking away from your computer, hit“Control + Alt + Delete”, then “Lock thisComputer”
Consult IT for Locking Assistance
Remember: LOCK IF YOU WALK!
HIPAA Security Rules Policies (Cont)
Unique User Identification Policy:
All users are required to login to systemsbefore usage is granted.
All users must login with unique usernameand password.
HIPAA Security Rules Policies (Cont)
Controlled Access
HIPAA Security Rules Policies (Cont)
Dan Doctor, MD
Physician
ArchCare
ArchCare
Picture
Name
Position
Organization
Access badge must be displayed at alltimes while on Company property.
HIPAA Security Rules Policies (Cont)
Device and Media Disposal Policy
This policy will apply to: PDAs Laptops iPads and Tablets Desktop Computers Backup Tape and Disks Flash Drives
If a hard drive or media cannot be cleaned as described, it will bephysically destroyed in a manner that will make it completely unusableand unrecoverable.
HIPAA Security Rules Policies (Cont)
Encryption Policy
All files that contain PHI that are sentover public networks will be encrypted
Where possible, strong encryption suchas SSL, PGP or AES are used to securefiles before transmission.
What’s the Impact?
Impact of not complying with theHIPAA Security Final Rule
Possible litigation or other law suits
Loss of Public confidence
Penalties
Civil monetary for each violation of a standard
Criminal for wrongful disclosure of PHI
Other actions may be forthcoming
In Review
Today we have studied: The definition of the term HIPAA
The different provisions of law contained in HIPAAregulations
How HIPAA affects our organization and each individualemployee
The meaning of the term PHI
How to safeguard PHI
The key components of Privacy and Security Policy
Thank You for Your Time
