HIPAA and Electronic Information

Similar documents
The Relationship Between HIPAA Compliance and Business Associates

Do You Know What Your Business Associates Subcontractors & Vendors Are Doing With Your PHI & ephi?

Do You Know What Your Business Associates Subcontractors & Vendors Are Doing With Your PHI & ephi?

E. FOCUS: The electronic medical record system and billing platform utilized by MCCMH.

a. When access is requested for non-clinical staff, the appropriate supervisory staff will be the staff s direct supervisor.

Collaboration with Business Associates on Compliance

North Shore LIJ Health System, Inc.

Rick Ensenbach, CISSP-ISSMP, CISA, CISM, CCSFP Senior Manager, Wipfli Risk Advisory Services OBJECTIVES

How to Finish the HIPAA Security Risk Analysis and Meaningful Use Risk Assessment

View the Recording. Webinar: Accounting of Disclosures: Practical Approaches & Enforcement Update. November 17 th, FairWarning, Inc.

Big Data, Security and Privacy: The EHR Vendor View

a physicians guide to security risk assessment

Preparing for an OCR Audit: What is Expected of You

You Might Have a HIPAA Breach. Now What?

You Might Have a HIPAA Breach. Now What?

Privacy and Information Security Sanction Policy

Standard Statement and Purpose

EGUIDE BRIDGING THE GAP BETWEEN HEALTHCARE & HIPAA COMPLIANT CLOUD TECHNOLOGY Created for mike elfassi

HIPAA Compliance. Mandatory for 7 MILLION Covered Entities (CE) & Business Associates (BA) 70% of the market is NOT compliant!

Department of Public Health OF SAN FRANCISCO

ClickStaff Orientation Training. Presented to: Contingent Workers Presented by: <Supplier ABC> Version Effective Date: June 20, 2012 Version: 8FINAL

Living Our Purpose and Core Values CODE. Code of Business Ethics and Conduct for Vendors

Policy 2 Workforce Security Policy and Procedure

Meaningful Use Audit Process: Focus on Outcomes and Security

Stacey Carr, Division Privacy Officer. Ram Ramadoss, Director, Privacy and Information Security oversight Catholic Health Initiatives

Merge Unity HIPAA COMPLIANCE STATEMENT. Merge Healthcare 900 Walnut Ridge Drive Hartland, WI 53029

Welcome to today s Live Event we will begin shortly. Please feel free to use Chat or Q&A to tell us any burning questions you may have in advance

Managing the Business Associate Relationship: From Onboarding to Breaches. March 27, 2016

HIPAA Demystified: Strategies to Bullet Proof Your Compliance Plan. Chris Apgar, CISSP Ron Moser, CISA, CRISC

They re Back! Phase 2 OCR Audits Are Underway

Unified SaaS Solution for Cybersecurity and Risk. Curran Data Technologies

Welcome to Northside Hospital s Annual / New Hire Compliance Training. 1 of 35

HIPAA PRIVACY RULE IMPLEMENTATION WHAT S UP AFTER 4/14/03?

Department of Public Health O F S A N F R A N C I S C O

EEA General Data Protection Regulation Privacy Notice - University of Rochester Applicants and Current Employees Located in the EEA

Information Security Policy

SAMPLE COMPLIANCE PLAN. Last revised. Sample only for educational purposes/does not constitute legal advice

SAP and SAP Ariba Solution Support for GDPR Compliance

Long Island Association for AIDS Care, Inc. Corporate Compliance Plan

T e h C L C I L Q Q Sy S stem P ASG S A ll l l G rant n ee M M etin i g n

Triple C Housing, Inc. Compliance Plan

HIPAA Summit VII. Preconference III. Advanced Strategies to Achieve ROI in Implementing HIPAA

Securing Access of Health Information Using Identity Management

Copyright 2018, Tech Mahindra. All rights reserved. WORKER PRIVACY NOTICE

HIPAA Compliance and Mistakes:

STEPS FOR EFFECTIVE MANAGEMENT OF VENDOR AND SUPPLIER CYBERSECURITY RISKS. April 25, 2018 In-House Counsel Conference

Privacy Officer s Guide to Evaluating Cloud Vendors

The Rye Ambulatory Surgery Center, LLC Compliance Plan

GUIDELINES. Corporate Compliance. Kenneth D. Gibbs President & Chief Executive. Martin A. Cammer Senior Vice President & Corporate Compliance Officer

IBM Sterling Web Forms

American Well Hosting Operations Guide for AmWell Customers. Version 7.0

Supplier Security Directives

Report No. AHCA A February Agency Agreements EXECUTIVE SUMMARY

General Personal Data Protection Policy

From the Front Lines: Navigating the OCR Phase 2 HIPAA Audits

HIPAA Summit Presentation Practical Tips to Help AVOID Enforcement

Compliance Plans. Kelly S. McIntosh July 20, 2017

Letter From Crown s President

ASSESSMENT AND EVALUATION OF THE CITY OF PHILADELPHIA S INFORMATION TECHNOLOGY GENERAL CONTROLS FISCAL 2016

SHRINERS HOSPITALS FOR CHILDREN CORPORATE COMPLIANCE PLAN

FIRST TIER, DOWNSTREAM AND RELATED ENTITY (FDR) COMPLIANCE GUIDE

Effective Compliance Programs How Does Your Program Measure Up?

CODE OF CONDUCT FOR DOING BUSINESS WITH LINKEDIN

Contract and Procurement Fraud. Detection and Prevention

Institutional Compliance Awareness. Updated 2/23/18

CREDIT CARD MERCHANT POLICY. All campuses served by Louisiana State University (LSU) Office of Accounting Services

CEBOS CLOUD PROGRAM DOCUMENT

Request for Proposal

Electronic I-9 Documentation Guardian Electronic I-9 and E-Verify Compliance with 8 CFR 274a.2

Top 5 Must Do IT Audits

WHITE PAPER EU General Data Protection Regulation Compliance

Interoperability & Secure, Compliant Communications in Healthcare

THE E-VERIFY PROGRAM FOR EMPLOYMENT VERIFICATION MEMORANDUM OF UNDERSTANDING ARTICLE I PURPOSE AND AUTHORITY

Corporate Compliance Plan

Corporate Background and Experience: Financial Soundness: Project Staffing and Organization

Job Description. Operations Manager. Scheduled Care. Band 8A. Centre Manager. Centre Manager

Compliance Solutions FOR HEALTH CARE. message archive search message archive search message archive search

Supplier Code of Conduct

CODE OF ETHICS & BUSINESS CONDUCT

Applicant Data Privacy Notice

GDPR. Legalities, Policies and Process Part 3 of our series on GDPR and its impact on the recruitment industry

Success in Joint Ventures: Sustained Compliance and Audit Oversight

Effects of GDPR and NY DFS on your Third Party Risk Management Program

Modern Slavery & Human Trafficking Policy HRP-01

Commonwealth Health Insurance Connector Authority

Compliance Program Requirements for Medicare Advantage First Tier, Downstream or Related Entities (FDRs), Annual Attestation and Disclosure Statement

General Data Privacy Regulation: It s Coming Are You Ready?

Measuring Compliance Program Effectiveness

Assessments for Certified and Non-Certified Vendors

VIRTUA DATE OF LAST REVIEW 5/11; 4/14, 8/16

Buying IoT Technology: How to Contract Securely. By Nicholas R. Merker, Partner, Ice Miller LLP

Our vision. A company where the best people want to work.

THE E-VERIFY PROGRAM FOR EMPLOYMENT VERIFICATION MEMORANDUM OF UNDERSTANDING ARTICLE I PURPOSE AND AUTHORITY

Data Protection Policy

UNDERSTANDING PCI COMPLIANT DESKTOPS

THE E-VERIFY PROGRAM FOR EMPLOYMENT VERIFICATION MEMORANDUM OF UNDERSTANDING FOR EMPLOYERS USING A DESIGNATED AGENT ARTICLE I PURPOSE AND AUTHORITY

Sarbanes-Oxley Compliance Kit

PATAGONIA WORKS GLOBAL CODE OF EMPLOYEE CONDUCT

UNIVERSITY STANDARD. Title UNIVERSITY OF NORTH CAROLINA AT CHAPEL HILL STANDARD ON ENTERPRISE DATA GOVERNANCE. Introduction

Transcription:

HIPAA and Electronic Information Are you still acting like it s a paper world? Rebecca Wahler, MS, CHPC, CHC Compliance & Privacy Officer, NMHIC, LCF Research, Albuquerque, NM

Overall Goal Develop basic understanding of the HIPAA and HITECH regulations related to electronic information Basicsteps steps to be taken to improve compliance with the regulations 2

Credit Information NMHIC and NM HITREC are programs administered by LCF Research, which is accredited by the New Mexico Medical Society to provide continuing education for physicians. DISCLOSURE: The content of this lecture does not involve any ACCME defined potential conflicts of interest. There is no commercial support for this educational activity. Everyone in a position to control the content of this lecture has disclosed allrelevant financial relationships to LCF Research, and there are no relevant conflicts of interest to disclose. 3

Credit Information (continued) This activity may be acceptable for Nursing and Physicians Assistant CE credit if applicability to practice can be shown. Blank statements of credit are available to all attendees who complete a pre test and post test/ evaluation form. To obtain a certificate, please complete the pre test and post test/evaluation test/evaluation form and exchange it for your blank statement of credit when you leave. Personalized AMAPRA Category 1 Credit certificates will be e mailed to physician (MD/DO) participants within 2 4 weeks to the address provided on your evaluation/ participation ii i form. 4

Objectives Areas that will be reviewed include: HIPAA, and HITECH Regulations quick review Compliance Assessment Security Risk Assessment Remediation Tasks 5

HIPAA Regulations HIPAA, HITECH and the Security Rule 45 CFR Part 160, 162 and 164 For more information refer to handout. 6

NM Confidentiality Laws NMSA 1978 24 1 9.4; Sexually Transmitted diseases; confidentiality NMSA 1978 24 1 9.5; Sexually transmitted disease; disclosure statement NMSA 1978 24 1 9.7; penalty NMSA 1978 24 2B 6; HIV confidentiality NMSA 1978 NMSA 24 2B 7; 2B disclosure statement NMSA 1978 24 2B 9; penalty NMSA 1978 24 2E 2 and 24 2E 3; viral hepatitis Recently repealed. http://www.nmlegis.gov/sessions/13%20regular/final/sb0310. p// g / / g / / pdf NMSA 1978 28 10A 1; HIV related test; limitation NMSA 1978 24 21 1; Genetic information privacy NMSA 1978 32A 6A 24; children s mental health hand developmental l disabilities privacy NMSA 1978 43 1 19; mental health and developmental disabilities 42CFRPart 2; Substance Abuse treatment confidentiality ofrecords 7

Compliance Assessment 45 CFR 164.308 (a)(8) A covered entity must perform a technical and nontechnical compliance assessment. A HIPAA compliance assessment and a security risk assessment are not the same thing. 8

Compliance Assessment Tools A good tool for determining compliance with the regulations is the Audit Protocol at the Office of Civil Rights or at HIPAA Collaborative of Wisconsin (hipaacow.org). Both are great non technical HIPAA compliance tools. Non technical is looking for documentation and policies. 9

Security Risk Assessment 45 CFR 164.308 (a)(1)(i) A Risk Analysis is a required task. A Security Risk Assessment is a tool to help you determine the threats, vulnerabilities and likelihood of events to your electronic system. 10

Security Risk Assessment Tools The government has provided a Security Risk Assessment tool. A version can be found at hipaacow.org as well. Both can help determine threats, vulnerabilities, likelihood and impact 11

Remediation Steps After completing the compliance and security assessment your office will find missing items and things that need to be improved or changed 12

Common Deficiencies 1. No risk assessment completed or done in years 2. No HIPAA polices or outdated policies 3. No evidence of annual HIPAA training of workforce 4. Missing Business Associate Agreements and Management of BAs 5. Monitoring audit logs and systems logs 13

Policies and Procedures 45 CFR 164.316 Policies and procedures and documentation requirements Policies and Procedures are required Must be able to show workforce has been trained on the policies 14

Policies and Procedures Policies explain the why and Procedures are the how you are doing something Policies don t need to be super complex. Basic and easy to read information is best Plenty of HIPAA templates are available for a fee 15

Business Associate Regulations HIPAA 164.308 (b) (1) Administrative safeguards A Business Associate (BA) is any entity that creates, receives, transmits or maintains your PHI Need a written BA Agreement (not the same thing as the service agreement) BAs should have a BAA in place with their subcontractors 16

What is a Business Associate? A Business Associate is an entity providing services to health care providers, health insurers and other HIPAA covered entities Expanded definition includes any entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity Business Associates of covered entities must follow the same regulations and face similar penalties for non compliance 17

Business Associates Subcontractors are now included in the must comply group with HIPAA and Security Rule regulations BAs are required to complete Risk Assessments Directly liable for impermissible uses/disclosures of PHI Government provided BAA template: http://www.hhs.gov/ocr/privacy/hipaa/understanding/co veredentities/contractprov.html 18

Business Associate Contracts BAs are required to follow the minimum necessary requirement. Covered entities are required to get written assurance from their BA that all PHI will be appropriately safeguarded. Violations of the Privacy Rule mean potential civil and criminal penalties for the BA. BA are required to notify the covered entity of a breach of unsecured PHI. 19

Business Associate Management Must make an effort to show due diligence in selecting and managing your Business Associates The greater amount and depth of PHI the BAA has access to the more effort the medical provider should put forth in managing that vendor 20

Business Associate Management Some suggestions: 1. Ask for a copy of their annual Risk Assessment or attestation. 2. Ask if they have a complete set of HIPAA policies and can prove workforce training onthose policies. 3. Ask if they monitor audit logs and IT system logs. 4. Ask if they are using sub contractors. 5. Ask how many people are accessing or working with your PHI. 6. Ask if any of the user accounts are shared or individual. A good presentation from HRSA on what questions to ask your vendors is available. 21

Workforce Management Policy training HIPAA training Workforce/HR policies Access Audit logs IT System logs 22

Policy Training Documentation on workforce training on HIPAA policies Focus on certain policies: Breach prevention, unique user IDs, password management, minimum necessary, patient rights, iht audit logs, IT system activity it review 23

HIPAA training Complete annual HIPAA training New employees should receive some training on HIPAA and your policies before access to systems that contain PHI is granted Document all training 24

Workforce & HR Policies HIPAA 164.308 (a) (1) (ii) (C) Administrative safeguards. Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate. HIPAA 164.308 (a)(5) (i) Standard: Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management). 25

Workforce and HR Policies Job descriptions should outline what systems that employee has access to and what level of access Background checks Sanction Policy Documented training on HIPAA policies 26

Access, Modification, Deletion HIPAA 164.308 (a) (3) Administrative safeguards Have policies defining appropriate workforce access to PHI Policies on how you authorize that access Policies onhow you supervise workforce access Policies on how you determine the access is appropriate Policies on modifying or termination of access to PHI 27

Access, Modification, Deletion HIPAA 164.308 (a) (4) Administrative safeguards Policy on information system access and management of those systems Policy and procedure on access authorization Policyonaccess on establishment andmodification 28

Workforce Access HIPAA 164.312 (a)(1) Technical safeguards. (a) (1) Standard: Accesscontrol control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a)(4). 29

Access, Modification, Deletion Apply the role based feature in your EHR Apply the minimum necessary rule when granting employee or contractor access to your EHR Control who sets up new computer accounts and/or modifies those accounts Remove access to the EHR systems when no longer needed 30

Audit Logs HIPAA 164.312 (b) Technical safeguards. (b) Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. 31

Audit Logs Turn on your auditing capabilities in all electronic health information systems, if possible (EHR, Practice Management, Billing and Coding Software, Scheduling Software) Review audit logs at a minimum of monthly or more frequently if needed Review user activity Spot check user access with patient scheduling Save the audit logs with any additional documentation pertaining to them (6 years) 32

IT System Logs HIPAA 164.308 (a) (1) (ii) (D) Administrative safeguards. Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. 33

IT System Activity Review Regular review of IT System activity is important Document all reviews and any actions taken A good summary of what types of IT Security actions should be considered can be found on the HIPAA Education Resources sheet (#8). 34

IT Security Review IT reportsthat that are useful for further review: Patching and update reports on all Operating, Applications and Network Equipment Remote access user activity Review of user account creation, modification or deletion Authentication activity (failures) Password failures Anti virus/malware i patching thi Encryption management 35

Additional Resources http://www.hhs.gov/ocr/privacy/index.html http://www.ahima.org/ http://www.himss.org/ himss http://hipaacow.org/ p 36

Questions? www.nmhic.org (505) 938-9900

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback