Date post: | 21-Jan-2017 |
Category: |
Healthcare |
Upload: | cbiz-inc |
View: | 579 times |
Download: | 0 times |
KEYS TO HIPAA COMPLIANCE for CAAP Practice Managers
Amy Wasdin, RN, MBA, CPHRM Patient Safety Risk Manager II, Dept. of Patient Safety and Risk Management The Doctors Company March 17, 2016
DISCLOSURE STATEMENT
The Doctors Company would like to disclose that no one in a position to control or influence the content of this activity has reported relevant financial relationships with commercial interests.
The information and guidelines contained in this activity are generalized and may not apply to all practice situations. The faculty recommends that legal advice be obtained from a qualified attorney for specific application to your practice. The information is intended for educational purposes and should be used as a reference guide only.
2 KEYS TO HIPAA COMPLIANCE for Practice Managers
OBJECTIVES
After completing this activity, learners will be able to:
Review the purpose of the HIPAA Privacy and Security Rules Discuss the 2013 Omnibus Rule and its impact on: − Disclosures of Protected Health Information, − Patient Rights, and − Business Associates
Describe the notifications necessary for a breach of PHI. Outline the steps necessary for HIPAA compliance in a medical practice.
KEYS TO HIPAA COMPLIANCE for Practice Managers 3
I never had a policy; I have just tried to do my very best each
and every day. --Abraham Lincoln
1809-1865
How HIPAA compliant are you? Select one: A. I am 100% confident that our practice is HIPAA
compliant. B. I am fairly certain that our practice is HIPAA
compliant but I’m not sure. C. Our practice is not HIPAA compliant. D. What’s HIPAA?
5 KEYS TO HIPAA COMPLIANCE for Practice Managers
KEY CONCEPTS UNDER HIPAA Protected Health Information (PHI) − All individually identifiable health information − Held or transmitted by a covered entity or its business associate − In any form or media, whether electronic, paper, or oral
Covered Entity (CE) − Health plan or health care clearinghouse − Health care provider
Business Associates (BA) − Persons or organizations that perform certain functions on behalf of a
CE (billing, claims processing, data analysis)
6 KEYS TO HIPAA COMPLIANCE for Practice Managers
OVERVIEW OF HIPAA Healthcare Insurance Portability and Accountability Act:
the Privacy Rule and the Security Rule Protects privacy and confidentiality of PHI
Assures security of electronic information
The overall idea: − Assure information is properly protected, but still promote flow and use
of technology to facilitate care
Some state laws are more stringent than HIPAA − If so, state law takes precedent over federal HIPAA
7 KEYS TO HIPAA COMPLIANCE for Practice Managers
HIPAA VIOLATIONS ON THE RISE…
Total complaints received thru Dec 31, 2015:
125,4451
2014 saw a 25% increase in HIPAAA breaches2
− 2013: Loss and theft of laptops and portable devices.
− 2014: “The year of the hacker” - CHS: 4.5 million patients
Paper records are as vulnerable, or more, than electronic records3
[1] HHS Compliance and Enforcement Numbers at a Glance. Mar 11 2016. www.hhs.gov [2] 2014 Saw 25% Increase in HIPAA Breaches. Mar 11 2016. www.hipaajournal.com [3] HIPAA in a HITECH World: HIPAA Violations on the Rise. Smart Data Collective, March 25, 2013
8 KEYS TO HIPAA COMPLIANCE for Practice Managers
HIPAA FINES… Alaska DHHS fined $1.7 million
− USB device stolen from employee vehicle
Cignet Health fined $4.3 million − Failure to provide medical records to 41 patients
UCLA fined $865,500 − Snooping employees
CVS fined $2.25 million − Disposal of PHI in trashcans
Blue Cross of Tennessee fined $1.5 million − Unencrypted laptops stolen
9 KEYS TO HIPAA COMPLIANCE for Practice Managers
DATA BREACH: GEORGIA HOSPICE GROUP
Unencrypted company laptop containing personal health information was stolen from an employee's car in 2013. Nearly 2,000 patients affected by the breach. Officials say the laptop contained patient names, addresses, phone numbers, dates of birth, Social Security numbers, insurance numbers, clinical diagnoses and provider names.
Healthcare IT News - February 2013
10 KEYS TO HIPAA COMPLIANCE for Practice Managers
CARDIAC SURGERY PRACTICE April 2012–Phoenix Cardiac Surgery $100,000 with Corrective Action Plan Failed to implement policies to safeguard PHI Failed to document training of employees on Privacy
and Security Rules Failed to identify a security official and conduct
risk analysis Failed to have BA agreements with Internet based
e-mail and calendar services where provision of the service included storage of and access to its PHI
11 KEYS TO HIPAA COMPLIANCE for Practice Managers
PHI 18 IDENTIFIERS Name Medical record number Health plan beneficiary number Device identifiers and serial
numbers Vehicle identifiers and serial
numbers Biometric identifiers
(i.e., finger and voice prints)
Full face photos and other comparable images
Any other unique identifying number, code, or characteristic
Postal address All elements of dates except year Telephone number Fax number E-mail address URL address (Uniform Resource
Locator or web address) IP security (Internet Protocol
address numbers) Social Security number Account numbers License numbers
12 KEYS TO HIPAA COMPLIANCE for Practice Managers
Patient consent not required for…
Use in treatment, payment, or operations (TPO)
When records are subpoenaed − Check with MPL carrier for subpoena validity
Public interest or public health activities–required by law: − Mandated report of abuse to proper agencies − Preventing and controlling disease–CDC reports − FDA
AUTHORIZED USE AND DISCLOSURE
13 KEYS TO HIPAA COMPLIANCE for Practice Managers
AUTHORIZED USE AND DISCLOSURE
Most of the time… Valid Authorization is required to release records to
another party
Specific consent required for… Psychotherapy notes Alcohol and drug abuse treatment program notes Participation in research studies −Even for re-disclosure of any of the above
14 KEYS TO HIPAA COMPLIANCE for Practice Managers
(continued)
SECURITY SAFEGUARDS Administrative
– Security Risk Assessment
– Designated Privacy Officer
– Policies and Procedures
– Staff training
Physical Technical
15 KEYS TO HIPAA COMPLIANCE for Practice Managers
THE FINAL OMNIBUS HIPAA RULE
Effective March 26, 2013
Enforcement began September 23, 2013
−HITECH Modification
−HIPAA Enforcement Rule
−Breach Notification Rule
16 KEYS TO HIPAA COMPLIANCE for Practice Managers
WHO DID THE CHANGES AFFECT?
HIPAA Covered Entities: − Healthcare providers, health systems, health plans, clearinghouses
HIPAA Business Associates and subcontractors: − Vendors who contract with Covered Entities and access protected
health information (PHI) −Examples: Technology vendors, service organizations,
accountable care organizations, third party administrators
17 KEYS TO HIPAA COMPLIANCE for Practice Managers
OMNIBUS RULE - HITECH
Holds BA’s directly liable for compliance; Strengthens limitation on use and disclosure
of PHI; Expands individual’s rights
How does this impact practice? …
Notice of Privacy Practices (NPP)
18 KEYS TO HIPAA COMPLIANCE for Practice Managers
NPP MODIFICATIONS
Prohibition on the sale of PHI without authorization
Duty of CE to notify affected individuals of a breach of unsecured PHI
Right to restrict disclosures of PHI to health plan for care that was paid out of pocket in full
For CE that stated intent to fundraise in NPP, must also advise individual of the right to opt out of receiving fundraising communications from CE
19 KEYS TO HIPAA COMPLIANCE for Practice Managers
NPP NOTIFICATION TO PATIENTS
Must make the NPP available upon request on or after the effective date of the revision
Must make the NPP available at the service delivery site and post the NPP in a clear and prominent location
A health care provider is required to give a copy of its NPP only to new patients—and not all individuals seeking treatment
20 KEYS TO HIPAA COMPLIANCE for Practice Managers
OMNIBUS – HIPAA ENFORCEMENT RULE
Modifies privacy, security, and enforcement rule of HIPAA
How does this impact the practice? ...
Penalties
21 KEYS TO HIPAA COMPLIANCE for Practice Managers
OMNIBUS – BREACH NOTIFICATION RULE
Establishes a process for notifying patients and HHS when there is a breach of unsecured PHI.
How does this impact the practice? ...
CE’s are required to notify patients.
22 KEYS TO HIPAA COMPLIANCE for Practice Managers
BREACH OF PHI
Any acquisition, access, use or disclosure
not permitted is a Breach…
UNLESS
the CE or BA demonstrates
a low probability of PHI compromise.
23 KEYS TO HIPAA COMPLIANCE for Practice Managers
BREACH NOTIFICATION OF UNSECURED PHI
Applies to breach of unsecured PHI
Applies to covered entities and business associates
Business Associates notify Covered Entity
Covered entity has burden to notify patient (unencrypted)
Must notify each individual affected by the breach (written notification within 60 days of discovery)
Discovery date = first date known
24 KEYS TO HIPAA COMPLIANCE for Practice Managers
BREACH EXCEPTIONS
Unintentional acquisition, access, or use by workforce member with no further impermissible use
Inadvertent disclosure from one authorized person to another or CE or BA and no further impermissible use
Recipient could not reasonably have retained the PHI
Encrypted data per OCR guidance
25 KEYS TO HIPAA COMPLIANCE for Practice Managers
BREACH NOTIFICATION REQUIREMENTS
Individual − Contact by phone if urgent − Written breach notification – first class mail unless e-mail preferred
HHS − <500 = Annual log report − >500 = Media notice and immediate notice HHS Secretary
Annual report to HHS of all breaches
Media − <500 residents of a state or jurisdiction − Insufficient contact information for 10 or more individuals
26 KEYS TO HIPAA COMPLIANCE for Practice Managers
BREACH NOTIFICATION REQUIREMENTS
What happened?
What information was breached?
What steps the patient should take for protection?
What the CE is doing to investigate, mitigate and prevent future incidents?
CE contact information
Adhere to HIPAA Compliance plan for breach
27 KEYS TO HIPAA COMPLIANCE for Practice Managers
(continued)
BREACH RESPONSE –WHAT IS YOUR PLAN?
Determine root cause of breach
Identify gaps in compliance that led to breach
Provide evidence that root cause has been addressed and gaps corrected
28 KEYS TO HIPAA COMPLIANCE for Practice Managers
TOP FIVE ISSUES IN INVESTIGATED CASES
OCR took corrective action most often on… Impermissible use and disclosure
Safeguards − Not in place–fax, email, computer accessibility, etc.
Access − Access to records was granted or not granted improperly
Minimum necessary − More information than needed was disclosed (e.g., phone message)
Notice of privacy practices – Not given
29 KEYS TO HIPAA COMPLIANCE for Practice Managers
BUSINESS ASSOCIATES
AGREEMENTS
Business Associate Agreements must be updated to include specific new provisions
Existing agreements, entered before January 25, 2013, may operate until agreement is amended / renewed, or until September 22, 2014, whichever is earlier
Covered Entities and Business Associates will need to modify agreements and allocate risk through use of insurance requirements and indemnity provisions
30 KEYS TO HIPAA COMPLIANCE for Practice Managers
PUTTING IT ALL TOGETHER
WHAT ACTIONS ARE REQUIRED? Perform risk assessment. Establish risk management plan to address and manage
areas of vulnerability. Designate a HIPAA Security officer. Encrypt all devices that contact PHI Have written policies on Sanctions and Breach Notification Train staff on how to protect PHI and ensure your policies
are compliance with HIPAA Audit/Test physical and electronic security policies and
procedures regularly Documentation
32 KEYS TO HIPAA COMPLIANCE for Practice Managers
IF NOT ALREADY ADDRESSED…
Update Notice of Privacy Practices
Revise all Business Associates Agreements
33 KEYS TO HIPAA COMPLIANCE for Practice Managers
Testing Your Compliance
Select One: A. I am 100% confident that our practice is HIPAA
compliant. B. I am fairly certain that our practice is HIPAA
compliant but I’m not sure. C. Our practice is not HIPAA compliant. D. What’s HIPAA?
34 KEYS TO HIPAA COMPLIANCE for Practice Managers
TIPS FOR
PRIVACY AND SECURITY Limit access to a “need to know” basis Do not conduct discussion in elevators, waiting area, or
other public areas If you see a patient in a public place, be careful in greeting
him/her Obtain patient’s permission before discussing
care/treatment if there is someone with him/her Keep voices down when discussing PHI Log off computer when done
35 KEYS TO HIPAA COMPLIANCE for Practice Managers
TIPS FOR PRIVACY AND SECURITY
Use password protected or encrypted systems Never share your password Protect zip drives, laptop, PDA from loss Never leave documents unattended Do not put PHI in the trash Avoid taking records out of the office if possible Obtain written permission before leaving voicemail
messages or emailing Confirm fax numbers before sending and use a
confidentiality statement on your cover sheet
36 KEYS TO HIPAA COMPLIANCE for Practice Managers
(continued)
RESOURCES Security Risk Assessment – HealthIT.gov
www.healthit.gov/providers-professionals/security-risk-assessment
Sample Notice of Privacy Practices-English www.hhs.gov/ocr/privacy/hipaa/npp_fullpage_hc_provider.pdf
Sample Business Associates Agreement www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html
Take Steps to Protect and Secure Information When Using a Mobile Device www.healthit.gov/sites/default/files/fact-sheet-take-steps-to-protect-information.pdf
Security Rule Educational Paper Series http://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html
37 KEYS TO HIPAA COMPLIANCE for Practice Managers
The key to wisdom is knowing all the right questions.
--John Simone, Sr. --
Contact Information
For additional Patient Safety information,
please visit our Web site at: www.thedoctors.com
Amy Wasdin, RN, MBA, CPHRM Patient Safety Risk Manager II, Southeast
Department of Patient Safety and Risk Management 800-421-2368, ext 6728
Email: [email protected] ----------------------------------------------------------------------------------------------------------------
Nelson Guzman, CIC, CRM President, CBIZ Trinity
Southeast Regional Healthcare Director, CBIZ Insurance Services Mobile: 404-791-8822
Email: [email protected]
Evan Orvis, Sales Executive Mobile: 770-712-3903 Direct: 470-282-2536
Email: [email protected]
Kathy Alba, CISR, CLCS Senior Account Manager
Direct: 678-389-7858 Email: [email protected]
39 KEYS TO HIPAA COMPLIANCE for Practice Managers
THANK YOU We relentlessly defend, protect, and reward
the practice of good medicine.