2015 HIPAA Changes That Will Impact Your
Organization
Presented By:
This manual was created for online viewing. State specific information in this manual is used for illustration and is an example only.
mail: P.O. Box 509 Eau Claire, WI 54702-0509 • telephone: 866-352-9539 • fax: 715-833-3953email: [email protected] • website: www.lorman.com • seminar id: 395773
Paul Szklarski, FACHEFoxboro Consulting Group, Inc.
Take advantage of this special offer for $50 off of a Lorman
live webinar!
C O N V E N I E N T:Lorman offers a wide variety of live webinars covering current issues affecting numerous industries. Learn the latest on legal compliance, cost savings and strategies, and business trends.
E X P E R I E N C E D :Learn about today’s hot topics presented by our expert speakers who represent prominent firms and have years of industry experience and knowledge.
C U R R E N T :In today’s business world, staying current of the ever-changing regulations is absolutely necessary in order to advance in your field. Earn continuing education credits, educate your entire team and ask questions of the speakers. For a complete listing of upcoming live webinars visit www.lorman.com.
SPECIAL OFFER
$50 OFFYOUR NEXT Discount Code Y1719669This offer can not be used in combination with other discounts.
LIVE WEBINAR
2015 HIPAA Changes That Will Impact Your
Organization
©2015 Lorman Education Services. All Rights Reserved.
All Rights Reserved. Lorman programs are copyrighted and may not be recorded or transcribed in whole or part without its express prior written permission. Your attendance at a Lorman seminar constitutes your agreement not to record or transcribe all or any part of it.
Full terms and conditions available at www.lorman.com/terms.php.
This publication is designed to provide general information on the topic presented. It is sold with the understanding that the publisher is not engaged in rendering any legal or professional services. The opinions or viewpoints expressed by faculty members do not necessarily reflect those of Lorman Education Services. These materials were
prepared by the faculty who are solely responsible for the correctness and appropriateness of the content. Although this manual is prepared by professionals, the content and information provided should not be used as a substitute for professional services, and such content and information does not constitute legal or other professional
advice. If legal or other professional advice is required, the services of a professional should be sought. Lorman Education Services is in no way responsible or liable for any advice or information provided by the faculty.
This disclosure may be required by the Circular 230 regulations of the U.S. Treasury and the Internal Revenue Service. We inform you that any federal tax advice contained in this written communication (including any attachments) is not intended to be used, and cannot be used, for the purpose of (i) avoiding federal tax penalties imposed by
the federal government or (ii) promoting, marketing or recommending to another party any tax related matters addressed herein.
mail: P.O. Box 509 Eau Claire, WI 54702-0509 • telephone: 866-352-9539 • fax: 715-833-3953email: [email protected] • website: www.lorman.com • seminar id: 395773
Prepared By:Paul Szklarski, FACHE
Foxboro Consulting Group, Inc.
Truste
d by
1.4 Milli
on Customers
Get Starte
d Today
Ph: 800-678-3940
With more than 27 years of experience and 1.4 million customers and counting, we here at Lorman Education Services still have one core belief:
Learning drives development and innovation.
So at no cost to you the Lorman Affiliate Program allows you to earn extra revenue while expanding continuing education offerings
to your organization and customers.
Personalized Affiliate Portal Marketing Assistance
Dedicated Account Manager Revenue Share
• Easily filter through all of the courses Lorman offers so you only promote the courses your members and customers are interested in
• In-depth analytics allows you to sell more effectively by tracking who, how much and what course they purchased
•Our staff will help create turnkey marketing emails and social media promotions to help you get your marketing off the ground and working
•We can provide you with a list of courses that are doing well to help increase your sales because when you win we win
•We believe that a true partnership is two parties working together so that is why every Affiliate Partner, no matter the size, is assigned their own dedicated account manager
•Our account managers will reach out to you and act as your go to resource for any questions or concerns
•Why wait for your money? Lorman sends out your commission check monthly so you can reinvest in your organization and grow
•We want you to succeed so that is why we have an aggressive revenue share program that gives you the ability to offer discounts to your organizationand subscribers
Become a
AffiliateEDUCATION SERVICES
R
A DIVISION OF LORMAN BUSINESS CENTER, INC.
www.lorman.com/affiliateprogram/
For more information please check out our Lorman Affiliate video.
Want to learn more? Contact a Lorman All-Access Pass Specialist:
[email protected] or call 1-877-296-2169
www.lorman.com/pass
train
develop
grow
educatemotivate
Be Part of
Something
BIGengage
Introducing the Lorman All-Access Pass:•UnlimitedLiveWebinars
•UnlimitedOnDemandandMP3Downloads
•ThousandsofWhitePapers,ReportsandArticles
•Allofthisforonly$699for12months
Invest in YourselfYou haven’t gotten to where you are professionally by luck alone; it has taken a
lot of hard work and training. Invest in yourself with the All-Access Pass.
What is the cost of in-house training?Our pricing is structured to meet the distinct needs of each client. Since each customer experience is different, we will work with you to get you the most affordable price based on your training needs.
How many employees should we train?We recommend a minimum of 10 employees to be trained at one time; however, there is no limit to the number of employees that can be trained at any event. A higher number of attendees benefits the group dynamics and increases your cost efficiency.
How long does the training last?You determine the schedule. We can provide training for half-day, full-day and multiday sessions; and we even present in-house training via live webinar. Every attempt will be made to accommodate any schedule requirement you may have.
Getting started ... Get an initial consultation quickly. We will determine your individual training needs, expectations and the timeframe you would like to schedule the event.Call our in-house training account manager at 877-214-9727 or email us at [email protected].
Lorman In-House Training
• Train together in the convenience of your office• Confidential, convenient and cost-effective• Choose from programs already designed or customize your
agenda• Credits available for various programs• Expert speakers
Contact us at 877-214-9727 or [email protected]
Train More for LessDo you need training for your staff,
but can’t send them all to a pre-scheduled event? Stay compliant while saving money
by having the experts come right to you.
2
Definitions
• HIPAA
• HITECH
• PSQIA and ACA
• Red Flag
• FERPA
AUDITS in 2016
Updates
• HIPAA and other rules for 2015 - 2016
• Violation Cases
• Electronic Medical Records
• Cost of Violations
Audits in 2016
3
Penalties
HIPAA is controlled by the Federal Office of Civil RightsCost to defendant: minimum $100,000
Business Associate same as Covered Entity
Penalties• Could not have known: $100 to
$50,000 per and $1,500,000 per year
• Reasonable cause not willful: $1,000 to $50,000 to $1.5 million per year
• Willful neglect but caught in 30 days: Mandatory $10k to $50k per and $1.5 million max per year
• Willful and not fixed in 30 days: Mandatory $50k per claim minimum up to $1.5 million/year
• PSQIA = $11k per violation
4
Protection• Thinking like a CRIMINAL
Fictional
George also works for City Community General Hospital - he reports to VP operations. George is trained as an electrician, attended trade school, lives locally with his wife and children across town. George has worked at the hospital for five years and handles general maintenance for the hospital. He has many friends and he is considered a great employee.
George was involved in a serious auto accident two years ago. He engaged an unscrupulous attorney to represent him. George is now dependent upon pain killers, his marriage is shaky, and he has money problems.
Mary works for City Community General Hospital - You are her supervisor.
You hired Mary two years ago to register patients in your Emergency Department. Mary is young, very bright, and treats your patients very well. She previously worked at a local doctor’s office and her references all checked out. She has a high school education and lives as a single parent in the community.
Mary earns little more than poverty level since she has two children. She lives in low income housing and receives food stamps. Mary is worried that her two little boys will grow up in subsidized housing. Mary’s sister knows someone with an apartment for rent in a better neighborhood and has been pressuring Mary to move.
5
Think like a criminal
George and Mary both need moneyGeorge knows that his attorney will pay $50 for every accident chart he can get from the hospital. The attorney pays cash, every Friday for charts sent to his office.
George sees Mary one night on the 3pm to 11pm shift in the Emergency Department. They know each other from high school. It was a quiet night and Mary laughed that all they had all night was auto accidents after the bingo game at the community center. Ten people in all. George did the math and Mary agreed.
Exercise
• Text me a photo of your business card to mobile # 609-515-0669. Fastest wins
6
Result
• Eleven employees were arrested and prosecuted. The hospital was fined. It was estimated that the total amount paid to the employees exceeded three times their annual salary. (True story)
More thinking
• If were going to steal information - how would you do it?
• How might it be detected?
• What will you do if you discover it?
7
Use Dropbox - or similarFlash or keychain drivesUse smartphone camera
PhotocopyEmail
Email in BG follow staff (including professionals)
BG Walk in and just pick up the computer (true)
More criminal thoughts
What will the headlines be?
“Local health care institution involved in
sale of medical records”
8
Accidents
• The dog ate my flash drive
• Car accident
• Law enforcement
• Theft
• Wrong address
Protection continued
• Manage by walking around & DOCUMENT
• Process and procedure for preventing activity
• Whisper campaign
• Handling of confidential information: EMR, Scheduling, Email, FaceBook, LinkedIn, Phones, Flash Drives, Credit Cards
9
More protection
• Disable USB ports• Use of cameras in work area
cause for termination• Restrict Internet Access
Dropbox, Google Docs, etc• Review History on computers• Restrict Tablets to break areas• Educate for compliance
Document, Document, Document
More Protection
• Visitors: ID Check everyone • Contractors: Include in education
ID Check and BAA• Auditors: ID Check and Business
Associate Agreement (BAA) • Family members: ID Check • Reps: ID Check and BAA• Computer placement
+++ Atmosphere of respect
10
Important
• Keep your employee administrative records and employee health records separate
• Employee health records must be treated in accordance with HIPAA records with only authorized staff handling minimally necessary information
Disposal of Electronics
What has medical data on it?
CopiersMedical Equipment (EKG)
X Ray film Digital Camera
CD, USB, PhonesTabletsCloud
Video SecurityDictation
ComputersEven old IBM Selectrics
11
Profit of Fraud and Theft
• Medical Records
• Medicare Numbers
• Medicaid Numbers
• Credit Card Numbers
• All of the Above
Business Associate Agreements
• Define who is a Business Associate
• Ensure Compliance
• Your responsibilities as an employee and as an individual
12
Minimally Necessary
Case of the abusing Law Enforcement Officer
Workers Compensation and “AOB”
Mental Health and Substance Abuse
Prisons
Breach
• What is a breach?
• Breach reporting requirements: Unsecured and 500# must be reported to media and HHS. Under 500# reported annually (60 days)
• Breach Damage Control
• Cost of Violations
13
Not a Breach
• When is it OK to release medical information with the patient’s consent?
• How about without it?
• Does everyone know this?
Special Circumstances
• Disasters
• Public Safety
• Mental Health and Substance Abuse
• Law enforcement and court subpoena
• Prison System
14
HIPAA Management
1. Information Access Controls2. Data management (Contingency, Backup, Retention)3. Documentation4. Compliance Evaluations5. Contracts with Third Parties6. Data Encryption7. Transmission of confidential information8. Physical Access controls9. Media Management and Disposal10. Breach Response11. Discovery Response12. Wireless networks13. Portable Devices14. Acceptable Use15. Minimally Necessary16. Breach and Suspicious Activity 17. All polices dated and up dated
Exercise
• Breach• Not a Breach• Bad Practice
15
You receive a subpoena from a client’s patient’s husband’s attorney to produce all medical records and you send them
Your storage and shredding company routinely picks up your paperwork and
all seems to be working well
You add a new software that transmits billing claims automatically to your collection agency
andthe agency can access your EMR for
discharge summaries
An attorney calls and asks if your practice covers the Joan Jones accident
16
An employee takes home medical files on client employees, reviews them and determines that the files are closed. Since they are copies, the employee drops them in their home trash can.
Your cleaning service downloads all your work comp case management files when your office is empty and sells the data to a law firm.
The managing partner in the medical practicedrives home with 25 medical charts in the car.
She stops at the supermarket on the way home and her car is stolen from the parking lot.
What is appropriate response?
17
If we don’t think like a criminal, someone will.
Audits are mechanisms by which we “trust, but verify.”
We accept audits and so must our employees.
Confidentiality is everyone’s responsibility.
Thank you!
Paul Szklarski, FACHE CoTactix, llc
mobile (609) 515-0669
18
Notes
