Dental Compliance for Dentists and Business Associates

HIPAA/ HITECH For Business Associates

For Free compliance tips join our list!

www.DentalCompliance.com

Presented by:Duane Tinker & Toothcop

Neither I nor members of my immediate family

have any financial relationships with

commercial entities that may be relevant to this

presentation.Neither of these guys are licensed peace officers, attorneys, or

dentists….they’re not very funny either!

Learning Objectives

After completing this presentation participants should be able to:

Define Covered Entity, Protected Health Information and

Business Associates

Identify major legislation regarding patient privacy laws in

Texas

Explain why protecting Protected Health Information is

important and consequences for non-compliance with state

and federal laws

Sketch out a plan to achieve compliance for their organizations

Overview

Compliance Regulations

HIPAA Privacy

HIPAA Security

HB 300 (Texas Medical Privacy Act)

HITECH

HIPAA

Took effect on April 1st, 2003

First major regulation in recent years to control fraud,

waste and abuse of government programs

Mandated mechanisms for exchange of information

between healthcare clearinghouses, health plans and

providers.

HITECH

Took effect in 2009

Provided Federal money for providers to help incorporate

EHR into health care practices

Recognized the majority of data breaches was by Business

Associates and there were (previously) no accountability to

enforce HIPAA provisions over unlicensed BA’s

HB 300Texas Medical Privacy Act

Took effect on 09/01/2012

Re-defined “Protected Health Information”

Expanded definition of “Covered Entity” to include entities

that come into possession of, obtain, assemble, collect,

analyze, evaluate, store or transmit PHI.


Expanded privacy and security mandates on covered entities

such as:

Employee training (within 60 days of hire and every 2

years)

Patient access to electronic health records (EHRs) (15

days)

Identifies state agencies that regulate covered entities

and the agency’s compliance enforcement process

(Office of Attorney General for non-licensed C.E.’s)


Consumer Information Website

Prohibits sale or disclosure of PHI

Consumer Notice and Authorization Required for Electronic

Disclosure of PHI

Fines and penalties include civil and criminal remedies for

non-compliance

HITECHOverview

American Recovery and Reinvestment Act of 2009 (ARRA) became federal law on February 12, 2009. HITECH is part of that law. The goal of HITECH is to enhance and expand the HIPAA Privacy Rule and Security Rules. The HITECH Act not only makes privacy regulations more strict, but it also gives more power to federal and state authorities to enforce privacy and security protections for resident information and data.

How does HITECH strengthen

patient privacy?It increases HIPAA’s patient rights regarding control over their PHI (medical information)It limits the use of PHI for marketing purposesIt mandates breach (unauthorized access or loss of PHI) notificationIt also extends a lot of the same requirements to those business associates outside of our company to whom we give PHI so they can do their jobs.

HIPAA/ HITECHFinal Omnibus Rule

Published January 25th, 2013

Expands the definition of Business Associates - now

include entities that “maintain” PHI, in addition to those that

create, receive, or transmit PHI for a function or activity

such as claims processing or administration, data analysis,

utilization review, quality assurance, patient safety

activities, billing, benefit management, practice

management, and re-pricing.

The definition extends fully to subcontractors of BAs who

perform these functions.


Solidifies that BAs are directly liable for compliance

with HIPAA. Under the new rules, BAs are statutorily

liable for violations of the HIPAA security rules. They are

also subject to the same HIPAA privacy restrictions as

covered entities. This includes requirements that BAs

create and implement HIPAA privacy and security policies

and procedures in relation to the handling of PHI of a

covered entity. BAs may be subject to compliance reviews

by the federal Department of Health and Human Services

(HHS).


Require BAs to report to the covered entities breaches of

unsecured PHI.

Breach is the unauthorized access of PHI by unintended or

unauthorized persons or entities.

Important Definitions

“Covered Entity”

As per HB 300 and HITECH Final Rule:

Basically, all persons or entities who receive, possess, or

generate protected health information (PHI) or who store

and ‘could potentially’ access PHI

“Protected Health Information”

Individually Identifiable Health Information (including

demographic data, that relates to:

The individual’s past, present or future physical or mental

health or condition;

The provision of health care to the individual, or

The past, present, or future payment for the provision of

health care to the individual

“Protected Health Information”

EXAMPLES: Names, Addresses, Date and place of birth,

Race, Marital Status, Phone numbers, Fax numbers, Email

addresses, Social Security numbers, Medical record numbers,

Health insurance beneficiary numbers, Account numbers,

Certificate/license numbers, Vehicle identifiers and serial

numbers, including license plate numbers, Device identifiers

and serial numbers, Web URLs, IP address numbers, Biometric

identifiers (including finger, retinal and voice prints), Full face

photographic images and any comparable images

HIPAA PrivacyRequirements

Addressable vs. Required

Required (R) means that complying with the given

standard is mandatory and, therefore, must be complied

with.

Addressable (A) means that the given standards must be

implemented by the organization unless assessments and in

depth risk analysis conclude that implementation is not

reasonable and appropriate specific to a given business

setting. Important Note: Addressable does not mean

optional.

HIPAA PrivacyRequirements

Privacy Requirements

Safeguard documents and communications involving PHI

(oral, written and otherwise)

Shred or definitively destroy documents that are no longer

needed

Notify Covered Entities if any information has been

breached

Have written policies and procedures to account for this

information

See HIPAA Privacy summary for additional

HIPAA SecurityRequirements

HIPAA Administrative Requirements

Risk Analysis: (R) Perform and document a risk analysis to

see where PHI is being used and stored and to determine what

all possible ways HIPAA could be violated are

Risk Management: (R) Implement measures sufficient to

reduce these risks to an appropriate level.

Sanction Policy: (R) Implement sanction policies for

employees who fail to comply.

Information Systems Activity Reviews: (R) Regularly

review system activity, logs, audit trails, etc.

Officers: (R) Designate HIPAA Security and Privacy Officers


Employee Oversight: (A) Implement procedures to authorize and

supervise employees who work with PHI, and for granting and removing

PHI access to employees. Ensure that an employee’s access to PHI ends

with termination of employment.

Multiple Organizations: (R) Ensure that PHI is not accessed by parent

or partner organizations or subcontractors that are not authorized for

access.

ePHI Access: (A) Implement procedures for granting access to ePHI and

which document access to ePHI or to services and systems which grant

access to ePHI.

Security Reminders: (A) Periodically send updates and reminders of

security and privacy policies to employees.


Protection against Malware: (A) Have procedures for

guarding against, detecting, and reporting malicious software.

Login Monitoring: (A) Institute monitoring of logins to

systems and reporting of discrepancies.

Password Management: (A) Ensure there are procedures for

creating, changing, and protecting passwords.

Response and Reporting: (R) Identify, document, and

respond to security incidents.

Contingency Plans: (R) Ensure there are accessible backups

of ePHI and that there are procedures for restore any lost data.


Contingency Plans Updates and Analysis: (A) Have procedures for

periodic testing and revision of contingency plans. Assess the relative

criticality of specific applications and data in support of other contingency plan

components.

Emergency Mode: (R) Establish (and implement as needed) procedures to

enable continuation of critical business processes for protection of the security

of electronic protected health information while operating in emergency mode.

Evaluations: (R) Perform periodic evaluations to see if any changes in your

business or the law require changes to your HIPAA compliance procedures.

Business Associate Agreements: (R) Have contracts with business partners

who will have access to your PHI to ensure that they will be compliant.

HIPAA Physical Requirements

Contingency Operations: (A) Establish (and implement as needed) procedures

that allow facility access in support of restoration of lost data under the disaster

recovery plan and emergency mode operations plan in the event of an emergency.

Facility Security: (A) Implement policies and procedures to safeguard the facility

and the equipment therein from unauthorized physical access, tampering, and

theft.

Access Control and Validation: (A) Implement procedures to control and

validate a person’s access to facilities based on their role or function, including

visitor control, and control of access to software programs for testing and revision.

Maintenance Records: (A) Implement policies and procedures to document

repairs and modifications to the physical components of a facility which are related

to security

HIPAA Physical Requirements

Workstations: (R) Implement policies governing what software

can/must be run and how it should be configured on systems that

provide access ePHI. Safeguard all workstations providing access to

ePHI and restrict access to authorized users.

Devices and Media Disposal and Re-use: (R) Create procedures

for the secure final disposal of media that contain ePHI and for the

reuse of devices and media that could have been used for ePHI.

Media Movement: (A) Record movements of hardware and media

associated with ePHI storage. Create a retrievable, exact copy of

electronic protected health information, when needed, before

movement of equipment.

HIPAA Technical Requirements

Unique User Identification: (R) Assign a unique name and/or

number for identifying and tracking user identity.

Emergency Access: (R) Establish (and implement as needed)

procedures for obtaining necessary electronic protected health

information during an emergency.

Automatic Logoff: (A) Implement electronic procedures that

terminate an electronic session after a predetermined time of

inactivity.

Encryption and Decryption: (A) Implement a mechanism to

encrypt and decrypt electronic protected health information when

deemed appropriate.

HIPAA Technical Requirements

Audit Controls: (R) Implement hardware, software, and/or

procedural mechanisms that record and examine activity in

information systems that contain or use electronic protected health

information.

ePHI Integrity: (A) Implement policies and procedures to Protect

electronic protected health information from improper alteration or

destruction.

Authentication: (R) Implement procedures to verify that a person or

entity seeking access to electronic protected health information is the

one claimed.

Transmission Security: (A) Implement technical security measures

to guard against unauthorized access to electronic protected health

information that is being transmitted over an electronic

communications network.

Action Steps

Steps to Compliance

Create, revise, and/or implement HIPAA policies and

procedures. Diligently pursue HIPAA-compliant policies

and procedures as they relate to HIPAA security and

privacy requirements.

Steps to Compliance

Ensure you have Business Associate agreements on

file with the Covered Entities whose patients’ PHI

you have access to. Ensure you have BA agreements

with covered entity clients, as well as with subcontractors

to whom it delegates BA functions (consider relationships

with lenders, transition specialists, practice management,

attorneys, other vendors).

Steps to Compliance

For you and ALL employees or persons for whom

you are responsible receive training as required:

within 60 days of beginning new employment,

and;

every two years

Training must include State and Federal

requirements

Disclaimer

This presentation is NOT comprehensive and is only intended as a high-level overview of information relevant to Covered Entities and Business Associates. My team and I are happy to provide you with additional information or you can surf the Internet at:

http://www.hhs.gov/ocr/privacy/hipaa/administrative/statute/index.html

DUANE

TINKER

Duane Tinker traded his gun and badge for a clipboard and classroom to inform and teach Dental professionals how to stay off the radar and out of the news! As President & CEO of Dental Compliance Specialists, LLC -- a company specializing in Dental office regulatory compliance – he has taken his expertise as a former law enforcement officer responsible for investigating criminal and civil complaints against practices and now uses this knowledge to assist Dental professionals in avoiding these legal pitfalls. He is a much sought-after speaker and consultant and a member of the Speaking Consulting Network. In this pursuit, today his passion is all about helping beleaguered oral healthcare providers find justice!

Technology

Dental Compliance for Dentists and Business Associates