Embed Size (px)
Citation preview
HIPAAHIPAA
How It Is Affecting Information How It Is Affecting Information Systems Within Companies Around Systems Within Companies Around
UsUs
Team LexiTeam Lexi• Marlene ReischmanMarlene Reischman
• Denise Pope Denise Pope
• Johnny Lepschat Johnny Lepschat
• Jared CheneyJared Cheney
• William PaughWilliam Paugh
Why HIPAA Came AboutWhy HIPAA Came About
• Define HIPAADefine HIPAA– Health Information Portability and Health Information Portability and
Accountability Act (1996)Accountability Act (1996)– Healthcare related companiesHealthcare related companies– Non-healthcare related companiesNon-healthcare related companies
Steps To ComplianceSteps To Compliance
• Does the Legislation Apply?Does the Legislation Apply?• Appoint a “Privacy Official”Appoint a “Privacy Official”• Privacy PolicyPrivacy Policy
– WhoWho– WhenWhen– WhatWhat– WhyWhy– HowHow
• InstructionsInstructions• VerificationVerification
Steps to Compliance, Cont.Steps to Compliance, Cont.
• TrainingTraining– RegulationsRegulations– Documentation ProcessDocumentation Process– ComputersComputers
• Procedures Procedures – ProtectedProtected– IdentifiableIdentifiable– IS department IS department
Electronic CompliancyElectronic Compliancy
• Constantly Changing LegislationConstantly Changing Legislation• Modifications to Existing SystemsModifications to Existing Systems• Systems Must:Systems Must:
– Monitor and control access to protected informationMonitor and control access to protected information– Include security features such as passwords and Include security features such as passwords and
regulated accessregulated access– Have extra security and monitoring of electronic Have extra security and monitoring of electronic
transfers of information to another entitytransfers of information to another entity– Have easy access to complete medical records at Have easy access to complete medical records at
patient’s requestpatient’s request– Be easy to upgrade Be easy to upgrade
HIPAA Compliance ImpactHIPAA Compliance Impact
• Impact on Becoming CompliantImpact on Becoming Compliant– Capital OutlayCapital Outlay– Security DevelopmentSecurity Development– Departmental ChangesDepartmental Changes
Capital OutlayCapital Outlay
• Medium to Large Organizations Can Medium to Large Organizations Can Spend Tens of Thousands of Dollars This Spend Tens of Thousands of Dollars This YearYear
• Some Small Organizations Unable to Some Small Organizations Unable to Handle the Added ExpenseHandle the Added Expense
• Federal Aid Funding Stretched ThinFederal Aid Funding Stretched Thin
Penalties For Non CompliancePenalties For Non Compliance
• $100 Per Offense$100 Per Offense
• $25,000 Maximum Penalty$25,000 Maximum Penalty
• If Misused With Intent,If Misused With Intent,– $50,000 to $250,000 Fine$50,000 to $250,000 Fine– 1 to 10 Years in Prison1 to 10 Years in Prison
Security DevelopmentSecurity Development
• The Four Major Areas of Security The Four Major Areas of Security DevelopmentDevelopment– Administrative ProceduresAdministrative Procedures– Physical SafeguardsPhysical Safeguards– Technical Security ServicesTechnical Security Services– Technical Security MechanismsTechnical Security Mechanisms
Security ContinuedSecurity Continued
• All Electronic Information Has to Be All Electronic Information Has to Be Secured in All of the Following Ways:Secured in All of the Following Ways:– AccessAccess– TransmissionTransmission– MaintenanceMaintenance– StorageStorage
Departmental ChangesDepartmental Changes
• IT ChallengesIT Challenges
• HR RestructuringHR Restructuring
• Other DepartmentsOther Departments
IT ChallengesIT Challenges
• Assess NeedsAssess Needs
• Implement New SystemsImplement New Systems
• Implement New ProceduresImplement New Procedures
• Develop New Security StrategiesDevelop New Security Strategies
HR RestructuringHR Restructuring
• Change in Database to Dissociate Name Change in Database to Dissociate Name From InformationFrom Information
• Change in FormsChange in Forms
• Change in Information Gathering Change in Information Gathering ProcessProcess
• Change in Staff TrainingChange in Staff Training
Other DepartmentsOther Departments
• New ProceduresNew Procedures– Require Training For Many EmployeesRequire Training For Many Employees
• New PoliciesNew Policies– Require Attention By All EmployeesRequire Attention By All Employees
Real World CasesReal World Cases
• BankBank
• Rehab FacilityRehab Facility
• Other OrganizationsOther Organizations
BankBank
• Hybrid EntityHybrid Entity– Provides Medical InsuranceProvides Medical Insurance
– Provides Employee Assistance Program (EAP)Provides Employee Assistance Program (EAP)
• Bank Requests Information (Insurance Bank Requests Information (Insurance Company)Company)– Formal DocumentationFormal Documentation
• Bank Provides Information (EAP)Bank Provides Information (EAP)– Requests Documentation Requests Documentation
Rehab FacilityRehab Facility
• Staff TrainingStaff Training
• Information System SecurityInformation System Security
• Physical SecurityPhysical Security
• New Policies and ProceduresNew Policies and Procedures
Other OrganizationsOther Organizations
• Healthcare RelatedHealthcare Related
• Non-Healthcare RelatedNon-Healthcare Related
HIPAA Privacy Rule and Public HIPAA Privacy Rule and Public Health: Balancing Individual Needs Health: Balancing Individual Needs
with Those of Societywith Those of Society
• U.S. Department of Health and Human U.S. Department of Health and Human Services: Office for Civil Rights has Services: Office for Civil Rights has responsibility for enforcing the Privacy responsibility for enforcing the Privacy RuleRule
• Center for Disease Control and Severe Center for Disease Control and Severe Acute Respiratory Syndrome (SARS): Acute Respiratory Syndrome (SARS): When can information be released?When can information be released?
http://www.hhs.gov/ocr/hipaa/http://www.hhs.gov/ocr/hipaa/
http://www.cdc.gov/http://www.cdc.gov/
Protected Health Information (PHI) Protected Health Information (PHI) That Does Not Require Authorization That Does Not Require Authorization
Under the Privacy Rule:Under the Privacy Rule:• Reporting of disease, injury, and vital events Reporting of disease, injury, and vital events
• Conducting public health surveillance, Conducting public health surveillance, investigations and interventionsinvestigations and interventions
• Report child abuse or neglect to public health Report child abuse or neglect to public health
• A person subject to jurisdiction of the Food A person subject to jurisdiction of the Food and Drug Administration (FDA)and Drug Administration (FDA)
PHI, Cont.PHI, Cont.• Exposure to a communicable disease, or at Exposure to a communicable disease, or at
risk for contracting or spreading a disease or risk for contracting or spreading a disease or conditioncondition
• An employer, as needed to meet the An employer, as needed to meet the requirements of the Occupational Safety and requirements of the Occupational Safety and Health Administration, Mine Safety and Health Administration, Mine Safety and Health Administration, or a similar state lawHealth Administration, or a similar state law
Source: Adapted from [45CFR § 164.512(b)]Source: Adapted from [45CFR § 164.512(b)]
Questions to answerQuestions to answer
• Are companies being successful at being Are companies being successful at being compliant with HIPAA?compliant with HIPAA?
• What emphasis changes may need to What emphasis changes may need to happen to push compliance?happen to push compliance?
• Is the goal of HIPAA being met?Is the goal of HIPAA being met?
