![Page 1: Talcott HIPAA Seminar HandoutsPHI -no government plan, so responsibility falls back on the doctor under HIPAA. Value of stolen information Skyrockets: $5-$50 -for identity theft info-as](https://reader036.vdocument.in/reader036/viewer/2022071002/5fbe77db51ad8c2a74282138/html5/thumbnails/1.jpg)
8/9/17
1
SpecialPresentation:HIPAASurvival
Dr.TyTalcott,CHPSE(CERTIFIEDHIPAAPRIVACYANDSECURITYEXPERT)
• Foxworth Video
ALittleaboutme.
SkiLiftAcrobaticsWorstoftimesBestoftimes
![Page 2: Talcott HIPAA Seminar HandoutsPHI -no government plan, so responsibility falls back on the doctor under HIPAA. Value of stolen information Skyrockets: $5-$50 -for identity theft info-as](https://reader036.vdocument.in/reader036/viewer/2022071002/5fbe77db51ad8c2a74282138/html5/thumbnails/2.jpg)
8/9/17
2
Howdotheycatchpeople HeadofGeorgialegislativecommittee– HumanError
1– 2- 3 Paperprotection– practicesale
$289,000 $31,000– givingyourstufftoothers
![Page 3: Talcott HIPAA Seminar HandoutsPHI -no government plan, so responsibility falls back on the doctor under HIPAA. Value of stolen information Skyrockets: $5-$50 -for identity theft info-as](https://reader036.vdocument.in/reader036/viewer/2022071002/5fbe77db51ad8c2a74282138/html5/thumbnails/3.jpg)
8/9/17
3
$3.9million– Theft Cyber-security/Hacking
WhatisHIPAA—MandatoryPHI
WhatisOIG–Medicare
So,whyHIPAAoverlastfiveyearsandNowOIG?
Let’sstartwithHIPAAwhyisHIPAAsuchahugerisk,
allofasudden?Whenweallhadour
littlefiefdom….
![Page 4: Talcott HIPAA Seminar HandoutsPHI -no government plan, so responsibility falls back on the doctor under HIPAA. Value of stolen information Skyrockets: $5-$50 -for identity theft info-as](https://reader036.vdocument.in/reader036/viewer/2022071002/5fbe77db51ad8c2a74282138/html5/thumbnails/4.jpg)
8/9/17
4
Electronicmedicalrecords,Mobiledevicesandmultipleindividuals
accessingmedicalrecordsdestabilizedourabilitytoprotect
PHI- nogovernmentplan,soresponsibilityfallsbackonthe
doctorunderHIPAA.
ValueofstoleninformationSkyrockets:$5-$50- foridentitytheftinfo-asmuchas$500fullhealthfiles
Hugebreaches:Targetandpharmacies
AnthemInsurance=80millionbreachedBlueCrossPermaBlue=11,000,000breached
OCRgetsextra$4millionforrandomphysicianofficeaudits.
TheystartedroundtwoofthoseauditsinJuly2016.
[email protected] www.hipaacomplianceservices.com P:214.437.7559
![Page 5: Talcott HIPAA Seminar HandoutsPHI -no government plan, so responsibility falls back on the doctor under HIPAA. Value of stolen information Skyrockets: $5-$50 -for identity theft info-as](https://reader036.vdocument.in/reader036/viewer/2022071002/5fbe77db51ad8c2a74282138/html5/thumbnails/5.jpg)
8/9/17
5
ThatexplainshowwegottowherewearewithHIPAA,buthowdidwealsobecomethetarget
oftheOIG,combinedwiththecenterforMedicareservices,fordemandsbackoffundspaidtochiropractorspossiblytothetuneof
hundredsofmillionsofdollars?
Beenteachingthatthisdaywascomingsince2013.
Presentlyteachfor33statechiropracticassociationsandfourcollegesandaddedthistomyHIPAAprogramyearsago.
Medicarefundedtoinvestigatechiropractorsfortheyears2014and2015.
AttorneyGeneraldeclareshealthcarefraudtheDept.ofJustice’snumbertwoinitiativejustbehindviolentcrime!!
Federalgovernmenthasnowturnedattentiontoindividualandsmallgroup
physicianpractices.
Resultswerereleasedin2016.“54%ofchiropracticMedicareclaimswerepaidduetoerrororfraud”
![Page 6: Talcott HIPAA Seminar HandoutsPHI -no government plan, so responsibility falls back on the doctor under HIPAA. Value of stolen information Skyrockets: $5-$50 -for identity theft info-as](https://reader036.vdocument.in/reader036/viewer/2022071002/5fbe77db51ad8c2a74282138/html5/thumbnails/6.jpg)
8/9/17
6
OIGinstructsCMStotake“targetedactionsagainstChiropractorsto
stopthesepractices”
OIGgotimpatientandnowvirtuallyanychiropractor
couldbeatarget!
Theystated$466millionofpayoutreviewedanestimated$178millionpaidin
errorandshouldbeduebacktothegovernment.
AppearsatOIGsite:“AMICHIGANCHIROPRACTORReceivedunallowableMedicare
paymentsforchiropracticservices.”
Results:Manyotherchiropractorstargeted
Payback$339,625Theywillattempttorecoup
So,whatdowedoaboutit?
![Page 7: Talcott HIPAA Seminar HandoutsPHI -no government plan, so responsibility falls back on the doctor under HIPAA. Value of stolen information Skyrockets: $5-$50 -for identity theft info-as](https://reader036.vdocument.in/reader036/viewer/2022071002/5fbe77db51ad8c2a74282138/html5/thumbnails/7.jpg)
8/9/17
7
OIGcomplianceprogramisabouthavingasysteminplacetoassure
thatclinicsfilingtoafederalprogramdosoerror/fraudfree.
WhatdoesOIGprogramlooklike?
TheOIGsevenstepprocess:1. Writtenpolicies—codeofethics,
documentation,etc….2. Complianceofficer3. Training4. Effectivecommunication5. Auditing6. Enforcement7. Detectingoffenses
So,let’sgobacktoHIPAA!!
OverviewofwhataHIPAARegulatoryComplianceManualLooksLike
[ClinicName]
Index1. AuditSchedulefor20162.ComplianceOfficerJobDescriptionNotificationofOfficerAppointment/PostingPolicyandProcedureFilingacomplaint3.NoticeofPatientPrivacyPolicy- 2013OmnibusRules,Increasedenforcementandfines
4.FormsConsenttousePHIRestrictedConsentPatientAuthorizationRevocationofAuthorizationApproveRequesttoCopyDenyRequesttoCopy
![Page 8: Talcott HIPAA Seminar HandoutsPHI -no government plan, so responsibility falls back on the doctor under HIPAA. Value of stolen information Skyrockets: $5-$50 -for identity theft info-as](https://reader036.vdocument.in/reader036/viewer/2022071002/5fbe77db51ad8c2a74282138/html5/thumbnails/8.jpg)
8/9/17
8
5.RequiredAccountingLog– perpatient6.CorrectiveActionForms7.EmployeeConfidentialityStatements8.BusinessAssociateConfidentialityContracts -2013OmnibusRules,Increasedenforcementandfines9.AnnualrequiredStaffIn-servicetraining- privacyandsecurityrules.10.PhysicalPlantAudit11.RiskAnalysis12.ISAR13.RequiredAnnual A-ZHIPAAprogramAudit/Evaluation
14.BONUSAuditsClaimDenialReviewMedicareABNComplianceClinicalFileReview
15.PoliciesandProceduresforSecurityRules16.RequiredContingencyplanwithdatarecoveryandemergencymodeoperations17.Requiredequipmentmaintenancelog18.Modelreleasefortestimonialuse
• PRIVACYOFFICER/COMPLIANCEOFFICER• PRODUCTIONOFDOCUMENTSANDDATA• RETENTIONOFDOCUMENTSANDDATA• SANCTIONPOLICY• CONFIDENTIALITYAGREEMENTSANDB.A.
CONTRACTS• SCOPEOFPROTECTIONUNDERTHE
SECURITYRULES• APPLICABLESTATUTES/REGULATIONS• TEAMMEMBER/WORKFORCEPOLICIES• PROHIBITEDACTIVITIES• SECURITYMANAGEMENTPROCESS- RISK
ANALYSIS• EMERGENCYOPERATIONSPROCEDURE• EMERGENCYACCESS• BUILDINGSECURITY• ELECTRONICCOMMUNICATION• INTERNETACCESS• REPORTINGSOFTWAREMALFUNCTIONS• TRANSFEROFFILESBETWEENHOMEAND
WORKOREMPLOYEETOEMPLOYEE• INTERNETCONSIDERATIONS• DE-IDENTIFICATION/RE-IDENTIFICATIONOF
PERSONALHEALTHINFORMATION(PHI)
• USERLOGONANDIDS• ACCESSCONTROL• DIAL-INCONNECTIONS• MALICIOUSCODE• ENCRYPTION• TELECOMMUTING• SPECIFICPROTOCOLSANDDEVICES• RETENTION/DESTRUCTIONOFMEDICAL
INFORMATION• DISPOSALOFEXTERNALMEDIA/HARDWARE• MANAGINGCHANGE• AUDITCONTROLS• BREACHNOTIFICATIONPROCEDURES• CONFIDENTIALITY/SECURITYTEAM(CST)• CONTINGENCYPLAN• SECURITYAWARENESSANDTRAINING• EMPLOYEEBACKGROUNDCHECKS
Policies&Procedures
SpecialOffer• RetailPriceof$549.00• DiscountedSeminarPriceof$397.00
SPECIALPRE-PUBLICATIONOFFER;OIGComplianceProgramFREEwithpurchase
ofanyHIPAAproduct,fromthisseminar($399RetailValue)
Call214-437-7559orEmail:[email protected] /
• Break
![Page 9: Talcott HIPAA Seminar HandoutsPHI -no government plan, so responsibility falls back on the doctor under HIPAA. Value of stolen information Skyrockets: $5-$50 -for identity theft info-as](https://reader036.vdocument.in/reader036/viewer/2022071002/5fbe77db51ad8c2a74282138/html5/thumbnails/9.jpg)
8/9/17
9
Patient Name: Identification Number:
Advance Beneficiary Notice of Noncoverage (ABN) NOTE: If Medicare doesn’t pay for services below, you may have to pay.
Medicare does not pay for everything, even some care that you or your health care provider have good reason to think you need. We expect Medicare may not pay for the service below.
Services Reason Medicare May Not Pay: Estimated Cost
WHAT YOU NEED TO DO NOW: • Read this notice, so you can make an informed decision about your care. • Ask us any questions that you may have after you finish reading. • Choose an option below about whether to receive the service listed above.
Note: If you choose Option 1 or 2, we may help you to use any other insurance that you might have, but Medicare cannot require us to do this.
OPTIONS: Check only one box. We cannot choose a box for you. □ OPTION 1. I want the service listed above. You may ask to be paid now, but I also want Medicare billed for an official decision on payment, which is sent to me on a Medicare Summary Notice (MSN). I understand that if Medicare doesn’t pay, I am responsible for payment, but I can appeal to Medicare by following the directions on the MSN. If Medicare does pay, you will refund any payments I made to you, less co-pays or deductibles. □ OPTION 2. I want the service listed above, but do not bill Medicare. You may ask to be paid now as I am responsible for payment. I cannot appeal if Medicare is not billed. □ OPTION 3. I don’t want the service listed above. I understand with this choice I am not responsible for payment, and I cannot appeal to see if Medicare would pay.
Additional Information: This notice gives our opinion, not an official Medicare decision. If you have other questions on this notice or Medicare billing, call 1-800-MEDICARE (1-800-633-4227/TTY: 1-877-486-2048). Signing below means that you have received and understand this notice. You also receive a copy.
Signature: Date:
CMS does not discriminate in its programs and activities. To request this publication in an alternative format, please call: 1-800-MEDICARE or email: [email protected].
According to the Paperwork Reduction Act of 1995, no persons are required to respond to a collection of information unless it displays a valid OMB control number. The valid OMB control number for this information collection is 0938-0566. The time required to complete this information collection is estimated to average 7 minutes per response, including the time to review instructions, search existing data resources, gather the data needed, and complete and review the information collection. If you have comments concerning the accuracy of the time estimate or suggestions for improving this form, please write to: CMS, 7500 Security Boulevard, Attn: PRA Reports Clearance Officer, Baltimore, Maryland 21244-1850.
Form CMS-R-131 (Exp. 03/2020) Form Approved OMB No. 0938-0566
• Goodplacetopauseandtalkaboutcompliantfeeschedulesforasecond.
• Whentheylook,theylook…• Theylookatforms,postings,whatyouhavepeoplesignandwhetherthatinfo.isprotected.
• Dualfeesystems• Pointofservice• NowcanNOTreporttoins.ifpatientdictates,whichcancausemorescrutiny.
How About You?…Do You Worry?• Dual fee schedule?• Cash discounts? • OIG inducement violations • Is your financial policy legal &
compliant at all levels?
If you don’t worry, YOU SHOULD!Better yet. Know the Rules!
51
ToreceiveaSample1PageFinancialPolicyfromDr.Foxworth,Text DRT to (601)227-7720.Thisisagreattoolthatyoucancustomizeinyourofficeandasteptowardbecomingmorecompliant!
Whichchiropractorsareatriskiftheydonotprovidetranslationservicesfor15top,non-Englishlanguagesfortheirpatients
tosatisfythenewlawenactedOctober16ofthisyear?
BestFriend
![Page 10: Talcott HIPAA Seminar HandoutsPHI -no government plan, so responsibility falls back on the doctor under HIPAA. Value of stolen information Skyrockets: $5-$50 -for identity theft info-as](https://reader036.vdocument.in/reader036/viewer/2022071002/5fbe77db51ad8c2a74282138/html5/thumbnails/10.jpg)
8/9/17
10
• PrivacyPostingisnowcalledthe“NoticeofPatientPrivacyPolicy”
• ThePolicymustincludethatyouneedspecialreleasesfor:
• disclosuresofpsychotherapynotes• disclosuresofProtectedHealthInformationformarketingpurposes;and
• disclosuresthatconstituteasale ofProtectedHealthInformation;aswellasastatementthatotherusesanddisclosuresnotdescribedintheNoticeofPrivacyPracticeswillbemadeonlywithauthorizationfromtheindividual.
PrivacyPostingChanges • Thatanindividualhasarighttooptoutoffundraisingcommunications(i.e.iftheCoveredEntityintendstocontacttheindividualregardingfundraising).
• TherightofanaffectedindividualtobenotifiedfollowingabreachofunsecuredProtectedHealthInformation.
• Howpatientscanfileacomplaint.ThiscanbeeitheronyourComplianceOfficerPostingorinyourPrivacyPolicy.
• TherighttorestrictcertaindisclosuresofProtectedHealthInformationtoahealthplanwheretheindividualpaysoutofpocketinfullforthehealthcareitemorservice.
• TheseinclusionsinyourNoticeofPP P areagreatwaytotrainpartofyourrequiredin-service.
• BasedontheSeptember2013changesinthe“NoticeofPatientPrivacyPolicy”therearecertainthingsyoumustdo:
• (1)includeinyour‘ConsenttousePHI’astatementacknowledgingthepatienthasreceivedacopyofthenew‘NoticeofPatientPrivacyPolicy’anddistributeacopyofthepolicytoallNEWpatientsatthetimetheConsenttousePHIissigned,therebyactingasasignedreceipt.
• (2)provideacopytopatientsuponrequest.• (3)post,byhavingreadilyavailable,thenew
“NoticeofPatientPrivacyPolicy”orpostasummaryofthechanges,andhaveafullcopyreadilyavailable.
RiskAnalysis
• RiskAnalysis• Dateperformed_________Participants______________________
• InventoryofAssetsthatcontainPHI,includingkeystaff,businessassociates,etc.:– LapTopComputer– On-siteserver– __________,etc.
![Page 11: Talcott HIPAA Seminar HandoutsPHI -no government plan, so responsibility falls back on the doctor under HIPAA. Value of stolen information Skyrockets: $5-$50 -for identity theft info-as](https://reader036.vdocument.in/reader036/viewer/2022071002/5fbe77db51ad8c2a74282138/html5/thumbnails/11.jpg)
8/9/17
11
Itemfrominventorylist:LapTopcomputer• Threatsandvulnerabilities:1.Viruses2.Lackofadequatepoliciesandproceduresforwhousescomputer- forwhatpurposes3.Unknownlocationovernight4.Noprotocolstopreventunauthorizedinternetaccess5.Atriskfortheftwhilebeingtransported6.Dataatrestnotencrypted7._________________etc.
• Presentcontrolsinplace:4.Thereisapolicyinplacetolimitunauthorizedutilizationoftheinternet5.Whentransportedinthecarthecomputeristoalwaysbelockedinthetrunkifleftinthecar
• Gapanalysis- Stillneeded:1.AntiVirus2.AdequatePoliciesandProceduresneedtobedevelopedandtrainedtostaff3.Systemfor‘checkingout’thecomputer,iftakenoffpremises,toknowwhohasitandwhenitistobereturned
6.Non-encrypteddata
• Potentialsolutions:1.Installanti-virus,buynew2.Installanti-virusas‘additionalcomputer’onanexistingplan3.Downloadanti-virusfromtheinternet.4.ConsiderMcAfee,Norton,AVG,Sophos5.Policiescouldbewrittenfromscratchoneachindividualareaneeded.6.ExistingPoliciescouldbeexpandedtocoverareasofconcern.
7.A‘checkoutsystem’couldbesetupsimilartoalibrarycard8.Oneindividualcouldbeputinchargeof‘loaningout’equipmentandkeepingalogofwhohaswhat,where,etc.9.Couldrequirethelaptopneverleavetheoffice.10.CheckwithITprofessionalforencryptionsolutions11.___________,etc.
![Page 12: Talcott HIPAA Seminar HandoutsPHI -no government plan, so responsibility falls back on the doctor under HIPAA. Value of stolen information Skyrockets: $5-$50 -for identity theft info-as](https://reader036.vdocument.in/reader036/viewer/2022071002/5fbe77db51ad8c2a74282138/html5/thumbnails/12.jpg)
8/9/17
12
• Mitigationofrisk:1.DownloadandinstallNortonanti-virus2.Expandexistingpoliciestocoverareasofconcernrelatingtowhoisauthorizedtousetheequipmentandcheckitout3.Officemanagerwillbeinchargeof‘releasing’thelaptopforovernightonlyuse.
6.Officemanagerwilloverseeimplementationofencryptionfordataatrest
• Whoisgoingtofollowup:• Officemanagerwill assurethatallcomponentsofthemitigationprocessareinplaceandfunctioningby ___________ ,recordthedateofimplementationontheriskanalysisformandcreateareportdetailingthenewfunctiontobeplacedinthehandsofseniormanagementby_______(date).
• Thenewwrinkle=InformationSystemsActivityReview
• Addedrequest,inadditiontoriskanalysis,startedJanuary2015asanewcomponentofmeaningfuluseattestationaudits.
Information*Systems*Activity*Review*Log****************************************************************HIPAA*Compliance*Services*!!!!!!!*
*©!! !
ASSET!*
Ex:*Laptop**
____________________________*
Ex:*iPad**
____________________________*
Ex:*Desktop*Station*#1**
____________________________*
Ex:*Server**
____________________________*
Ex:*iPhone**
____________________________*
*
___________________*
*
__________________*!!
Passwords!STAFF*
TRAINED**
*
*
YES:*_________*
Date:*________**
*Updated/Changed:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Updated/Changed:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Updated/Changed:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Updated/Changed:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Updated/Changed:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Updated/Changed:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Updated/Changed:*
DATE:*________________*
DATE:*________________*
!Audit!Logs!STAFF*
TRAINED**
*
*
YES:*_________*
Date:*________**
*Logs*Reviewed:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Logs*Reviewed:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Logs*Reviewed:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Logs*Reviewed:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Logs*Reviewed:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Logs*Reviewed:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Logs*Reviewed:*
DATE:*________________*
DATE:*________________*!!
Encryption!STAFF*
TRAINED**
*
*
YES:*_________*
Date:*________**
*Secure/Updated:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Secure/Updated:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Secure/Updated:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Secure/Updated:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Secure/Updated:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Secure/Updated:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Secure/Updated:*
DATE:*________________*
DATE:*________________*
Anti6Virus!!Firewalls!STAFF*
TRAINED**
*
YES:*_________*
Date:*________**
*Patches*Current:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Patches*Current:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Patches*Current:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Patches*Current:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Patches*Current:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Patches*Current:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Patches*Current:*
DATE:*________________*
DATE:*________________*
*
Back6Up!STAFF*
TRAINED**
*
*
YES:*_________*
Date:*________**
*Viewed:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Viewed:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Viewed:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Viewed:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Viewed:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Viewed:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Viewed:*
DATE:*________________*
DATE:*________________*Reviewed!by!Signature:*______________________________________________________________*Date:*_____________________*Review*Findings:*(i.e.*No*suspicious*activity,*all*updates*complete)*________________________________________________________________________________________________________________________________________________________________*__________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________*OTHER:*________________________________________________________________________________________________________________________________________________________________________________________________________________________________________*
Reviewed!by!Signature:*______________________________________________________________*Date:*_____________________*Review*Findings:*(i.e.*No*suspicious*activity,*all*updates*complete)*________________________________________________________________________________________________________________________________________________________________*__________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________*OTHER:*________________________________________________________________________________________________________________________________________________________________________________________________________________________________________*
Reviewed!by!Signature:*______________________________________________________________*Date:*_____________________*Review*Findings:*(i.e.*No*suspicious*activity,*all*updates*complete)*________________________________________________________________________________________________________________________________________________________________*__________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________*OTHER:*________________________________________________________________________________________________________________________________________________________________________________________________________________________________________*
![Page 13: Talcott HIPAA Seminar HandoutsPHI -no government plan, so responsibility falls back on the doctor under HIPAA. Value of stolen information Skyrockets: $5-$50 -for identity theft info-as](https://reader036.vdocument.in/reader036/viewer/2022071002/5fbe77db51ad8c2a74282138/html5/thumbnails/13.jpg)
8/9/17
13
• EquipmentMaintenance: Equipmentismaintainedbyin-houseITstaff_____________(nameofperson/persons).Anyoutsideworkneededismonitoredbysuchpersonaswhodidwhatatwhattimeandisrecordedontheriskanalysisformforeasyreviewandupdate- aswell-statusofperiodictestingforproperfunctionofmaintainedequipmentifrecorded.
• DataRecovery:Intheeventoflossofaccesstodata,foranyreason,restorationcantakeplaceviaCarbonite cloudbackup.Seniormanagementisinpossessionoftheprocessforrestoration.
• EmergencyModeFunction: Thispieceofequipmentisnotcriticalforbasicfunctionsintheeventofadisastersuchasflood,earthquake,tornado,etc.thatmayinterruptordestroyfunction.Otherofficeequipmentcanaccessneededdataandperformfunctionality.
SpecialOffer• RetailPriceof$549.00• DiscountedSeminarPriceof$397.00
SPECIALPRE-PUBLICATIONOFFER;OIGComplianceProgramFREEwithpurchase
ofanyHIPAAproduct,fromthisseminar($399RetailValue)
Call214-437-7559orEmail:[email protected] /
Themostexpensivebutbestwaytogoforthelargerpracticethatknowsitcostmoremoneytotaketheirandstafftimeawayfromthepracticethanitcostsfortheprogram!Dependingonhowmanydoctors,locationsetc.thisprogramisusuallysomewherearound$5000plusexpenses.(Brokeninto3payments!)
ThisisaverypopularAFFORDABLEmidrangeserviceweprovideforauthoringyourHIPAAcompliancemanualforyou;riskanalysis,ISAR,around100pagesofpolicies,customizeddocumentsandforms,andmuchmorerequiredbythegovernment. Thecostisthreepaymentsof$599each.IfyouhavealreadypurchasedtheSurvivalKit,youwillreceiveanimmediate$300creditthatwillapplytowardthepurchaseoftheSilverlevel!
• Break
![Page 14: Talcott HIPAA Seminar HandoutsPHI -no government plan, so responsibility falls back on the doctor under HIPAA. Value of stolen information Skyrockets: $5-$50 -for identity theft info-as](https://reader036.vdocument.in/reader036/viewer/2022071002/5fbe77db51ad8c2a74282138/html5/thumbnails/14.jpg)
8/9/17
14
• Youmusthavepolicies/proceduresrelativetodisposalofPHIrecordsandallstaffagreetoabidebythem.Needtodocumentanaudittrailtoprovepoliciesfollowedtocompletedestructionbyoutsourcingtoaservice,physicallydestroyingoruseofasoftwaretosanitize(notrecommendedforUSB/flashmediaduetosectorsparing).
• Payspecialattentiontodisposalofproblemdeviceslikeprinters,faxmachinesthatstoreinformation,flashdrives,etc.NIST,atgovernmentsite,isagoodresourceforproperdisposal.
• Physicalaccesscontrol**Policiesmustbeinplaceandagreedtobystaff,prescribingthephysicalsafetyandsecurityofdevices.Alldevicesmustbeinventoriedandaccountedfor.Allcomputersareprotectedfromenvironmentalhazards.Physicalaccesstosecuredareasislimitedtoauthorizedpersons.
• IhavewrittenaP&Ptocoverphysicalsafetyandsecurityofdevicesandhaveaplantoenforcesame.
__YES__NO
• Securingelectronictransmissionsandnetworkutilization**Itisrequiredtohaveintegritycontrolsandencryptioninplace.Policiesneedtobeinplaceprescribingnetworkconfigurationandwhohasaccessandallstaffagreetoabidebythem.
• Accessisrestrictedtoauthorizedusersanddevices.GuestdevicesmaynotcontainPHI,nopeer- topeerapplications.Nopublicinstantmessagingandprivateinstantmessaging-onlyifsecured.
• BackupandSecuringEncryptionmethodsforoffsiteelectronicmedia,backuptapes,dataatrest,textmessaging,etc.
**Backup…policiesandproceduresforbackupandrecoveryareinplaceandagreedtobystaff,allstaffunderstandtheirdutiesduringrecovery.Theentiresystemrestoreprocessisknowntoatleastonepersonoutsidethepractice.
![Page 15: Talcott HIPAA Seminar HandoutsPHI -no government plan, so responsibility falls back on the doctor under HIPAA. Value of stolen information Skyrockets: $5-$50 -for identity theft info-as](https://reader036.vdocument.in/reader036/viewer/2022071002/5fbe77db51ad8c2a74282138/html5/thumbnails/15.jpg)
8/9/17
15
• Acopyofrecoveryplanissafelystoredoffsite,filesthatarecriticalaredocumentedandlistedinthebackupconfiguration.Thereisatimelyandregularbackupscheduleandeveryrunistestedforitsabilitytorestoredataaccurately.Backupmediaaresecuredorencrypted- ifoffsite.Backupsareunreadablepriortodisposal.Multiplebackupsaremaintained
**Accesscontrolpoliciesmustbeinplaceandallstaffagreetoabideby(documentthis).Whattodoatterminationofemployee,everyuseraccountmustbedocumentedtobetiedtoacurrentlyauthorizedindividual,minimumnecessarystatesanindividualmayonlyaccesswhatisneededtoperformtheirwork,allfilesmustbesettoallowonlyauthorizedindividualstouse.Computersrunninghealthcaredataarenotallowedforotheruses.
• Awarenesstrainingrelativetotheseandallotherissuesisrequired(annualandongoing).
• Determiningwhichauditlogstoactivate
• Onlytheauditlogsyouwillactuallyuseandmonitorareappropriatetobeactivated.Choosingwhichauditstohaveopenisbasedonriskandsensitivityofdata.
• Auditingyouruseoflogins/trails
• Trackingmustcontain,attheleast,personalID,date,time,reasonaccessing(view,change,delete)andshowallattempts- successfulandunsuccessful.
• Yourloginsshouldtimeout/lockoutafterthreeattempts.ThereshouldbewrittenreportsinyourHIPAAmanualrelativetosummaryoflogsandsanctionsinplaceforviolations.
• PhysicalPlant“WalkThrough”Audit• Office:________________ Date:______________
• Areaofreview• Compliant- Y/N• Comments• Patientchartslocatedinsecurearea.
Y/N• Namesonchartsprotected.
Y/N
![Page 16: Talcott HIPAA Seminar HandoutsPHI -no government plan, so responsibility falls back on the doctor under HIPAA. Value of stolen information Skyrockets: $5-$50 -for identity theft info-as](https://reader036.vdocument.in/reader036/viewer/2022071002/5fbe77db51ad8c2a74282138/html5/thumbnails/16.jpg)
8/9/17
16
• Informationatfrontdeskprotected.Y/N
• Insurance/Collectioncallsnotabletobeheardfrompatientarea.
Y/N• Computerscreenswithrapidtimeout/passwordprotected.
Y/N
• Signinsheetdoesnotcontainhealthinformation.
Y/N• Phonemessageskeptinprotectedarea.
Y/N• Chartsnotleftinunprotectedareasofofficewithidentifiableinformationvisible.
Y/N
• Chartsnotleftinexamortreatmentareasafterpatienttreatment.
Y/N• X-rays/otherdiagnostictoolsremovedafterpatienttreatmentfromexamination/treatmentarea.
Y/N• Patientinformationandtreatmentnotdiscussedincommonareas.
Y/N
• Recognitionboards/picturesetc.donotincludeidentifiableinformation.
Y/N• Privacyprovidedasneededbasedontreatmentprovided.
Y/N• PatientRightsaccessibleuponrequest.Staffknowledgeableaboutlocation.
Y/N
• Blackoutscreens• ComputerPasswords• Rapidtimeoutscreensavers• RelocationofComputers• Relocationofstaffmember• NewSignInsheet
CriticalpointstakenfromtheHIPAACONFERENCEhostedbyOCR,CMSandNISTin
WashingtonDC
![Page 17: Talcott HIPAA Seminar HandoutsPHI -no government plan, so responsibility falls back on the doctor under HIPAA. Value of stolen information Skyrockets: $5-$50 -for identity theft info-as](https://reader036.vdocument.in/reader036/viewer/2022071002/5fbe77db51ad8c2a74282138/html5/thumbnails/17.jpg)
8/9/17
17
Enforcementsofarbasedoncomplaintsandpilotaudits.
Nowrampingtoenforcementprogram.
IfasktovolunteerIrecommendyoudoNOT.
Thereisnoimmunityandprosecutionis“neveroffthetable”.
Theygothroughtheprocessofhowmanyrulesbrokentodeterminefine
level.
HHSwillbenotifyingselectentitiesthattheyaresubjecttoanaudit.
Respondasinstructedoradeskauditwillturnintoanonsiteaudit.
TheywillberequestingalistofyourB.A.
![Page 18: Talcott HIPAA Seminar HandoutsPHI -no government plan, so responsibility falls back on the doctor under HIPAA. Value of stolen information Skyrockets: $5-$50 -for identity theft info-as](https://reader036.vdocument.in/reader036/viewer/2022071002/5fbe77db51ad8c2a74282138/html5/thumbnails/18.jpg)
8/9/17
18
Findingsoftheseauditswillturnintoacomplianceinvestigationand
enforcement.RequiredIn-Service
• HerearesomekeypointsforyourrequiredIn-Service.
–HistoryofHIPAA–BenefitsofComplianceWithThePrivacyLaws
–Whydoweneedtobecompliant?– ThePrivacyRule:WhoIsAffected
• OurCompliance/PrivacyOfficeris:_____________________________
• OurPrivacyRulescanbereviewedbypatients,thepolicyislocated__________.
• Norecordsarefaxed,ormailedfromtheofficeunlesstheCompliance/PrivacyOfficerisnotifiedsothatproperconsentsandprocedurescanbefollowed.
• Allpatientinformationisconsideredprivate,thereforestaffisexpectedto:
• Makesureallrecordsarekeptconfidentialandoutofsight.
• Patientsarenotdiscussedoutsidetheoffice• Phoneconversationsarekeptprivateandnotheldwhereotherpatientscanhearsensitiveinformation.
Thisofficewilldestroyrecordsinthefollowingmanner:
1. Burnor2. Shred3.Outsidecompany
Documentationwillbekeptofallrecordsdestroyedandthemannerofdestruction.
Thisofficewillsecurerecordsinthefollowingmanner:
1.2.
DisciplinaryStandards&Enforcement
![Page 19: Talcott HIPAA Seminar HandoutsPHI -no government plan, so responsibility falls back on the doctor under HIPAA. Value of stolen information Skyrockets: $5-$50 -for identity theft info-as](https://reader036.vdocument.in/reader036/viewer/2022071002/5fbe77db51ad8c2a74282138/html5/thumbnails/19.jpg)
8/9/17
19
Confidentialinformationincludes:· Anycommunicationbetweenapatientandthedoctor.· Anycommunicationbetweenapatientandotherclinical
personsregarding:• Allclinicaldata,i.e.,diagnosis,treatment;
Patienttransfertoafacilityfortreatmentofdrugabuse,alcoholism,mental/psychiatricproblem;
ReleaseofPatientInformation
• Medicalinformationregardingapatientshallnotbereleasedoverthetelephoneexceptwhenrequiredforimmediatepatientcare.
TelephoneRequestsforReleaseofConfidentialPatientInformation
• Authorizationforreleaseofmedicalinformationwillbeacceptedthroughafaxmachine(hardcopyispreferred).Informationwillbefaxedtophysicians'officesonly and only inemergencycasesand/orwhenthepatientisintheoffice.
FaxRequestsforReleaseofConfidentialPatientInformation
SpecialOffer• RetailPriceof$549.00• DiscountedSeminarPriceof$397.00
SPECIALPRE-PUBLICATIONOFFER;OIGComplianceProgramFREEwithpurchase
ofanyHIPAAproduct,fromthisseminar($399RetailValue)
Call214-437-7559orEmail:[email protected] /
Themostexpensivebutbestwaytogoforthelargerpracticethatknowsitcostmoremoneytotaketheirandstafftimeawayfromthepracticethanitcostsfortheprogram!Dependingonhowmanydoctors,locationsetc.thisprogramisusuallysomewherearound$5000plusexpenses.(Brokeninto3payments!)
ThisisaverypopularAFFORDABLEmidrangeserviceweprovideforauthoringyourHIPAAcompliancemanualforyou;riskanalysis,ISAR,around100pagesofpolicies,customizeddocumentsandforms,andmuchmorerequiredbythegovernment. Thecostisthreepaymentsof$599each.IfyouhavealreadypurchasedtheSurvivalKit,youwillreceiveanimmediate$300creditthatwillapplytowardthepurchaseoftheSilverlevel!
![Page 20: Talcott HIPAA Seminar HandoutsPHI -no government plan, so responsibility falls back on the doctor under HIPAA. Value of stolen information Skyrockets: $5-$50 -for identity theft info-as](https://reader036.vdocument.in/reader036/viewer/2022071002/5fbe77db51ad8c2a74282138/html5/thumbnails/20.jpg)
8/9/17
20
• Break• PrivacyPostingisnowcalledthe“NoticeofPatientPrivacyPolicy”
• ThePolicymustincludethatyouneedspecialreleasesfor:
• disclosuresofpsychotherapynotes• disclosuresofProtectedHealthInformationformarketingpurposes;and
• disclosuresthatconstituteasale ofProtectedHealthInformation;aswellasastatementthatotherusesanddisclosuresnotdescribedintheNoticeofPrivacyPracticeswillbemadeonlywithauthorizationfromtheindividual.
PrivacyPostingChanges
• Thatanindividualhasarighttooptoutoffundraisingcommunications(i.e.iftheCoveredEntityintendstocontacttheindividualregardingfundraising).
• TherightofanaffectedindividualtobenotifiedfollowingabreachofunsecuredProtectedHealthInformation.
• Howpatientscanfileacomplaint.ThiscanbeeitheronyourComplianceOfficerPostingorinyourPrivacyPolicy.
– BusinessAssociateisdirectlyliableundertheHIPAAPrivacyRuleforusesanddisclosuresofProtectedHealthInformationthatarenotinaccordancewithitsBusinessAssociateagreementortheHIPAAPrivacyRuleitself.
– BusinessAssociatesremaincontractuallyliableforallotherHIPAARuleobligations,thissubjectsthemtothesamepossiblefinesandpenalties.
– (BusinessAssociatesareanyentitythathasaccesstoyourelectronicrecords,youtransmitrecordstoorthatstorerecordsforyou.)
BusinessAssociateContracts
Whichchiropractorsareatriskiftheydonotprovidetranslationservicesfor15top,non-Englishlanguagesfortheirpatients
tosatisfythenewlawenactedOctober16ofthisyear?
![Page 21: Talcott HIPAA Seminar HandoutsPHI -no government plan, so responsibility falls back on the doctor under HIPAA. Value of stolen information Skyrockets: $5-$50 -for identity theft info-as](https://reader036.vdocument.in/reader036/viewer/2022071002/5fbe77db51ad8c2a74282138/html5/thumbnails/21.jpg)
8/9/17
21
But,whoreallyhastofollowtheserulesandhowcanyougoaboutsatisfying
theseregulations?
1.AchiropractorisExemptiftheydonottreatanyindividualsthat areeligibleforMedicare,Medicaid orhavereceivedanyothergovernment funds(Meaningfuluseattestation,grants,etc...)fromanyotherfederalprogram.
2.AchiropractorisexemptiftheyonlytreatMedicarepartBpatients andnoothertypeofpatienteligibleforafederallyfundedprogram.
3.AchiropractorisNOTexemptandmustfollowtherules, iftheytreat,contractorhaveanyrelationshipwithanyMedicare partC(advantageand/orreplacementplans)orMedicaidpatients,EVENIFTHEYalsoparticipateinMedicarepartB!
So,iftheymustfollowtherules-whatdotheyhavetodo?
A.Youmustpostnotices(taglines)topatientsandtheirfamilies statingthattranslationservicesareavailableinthetop15requiredlanguagesforyourstate.(FamilymembersmayNOTsubstitutefor translators,thetranslatorsmustbe"qualified").
![Page 22: Talcott HIPAA Seminar HandoutsPHI -no government plan, so responsibility falls back on the doctor under HIPAA. Value of stolen information Skyrockets: $5-$50 -for identity theft info-as](https://reader036.vdocument.in/reader036/viewer/2022071002/5fbe77db51ad8c2a74282138/html5/thumbnails/22.jpg)
8/9/17
22
Thesetaglinesmustalsobeincludedinlargerandmorestandardpublications.Forsmallerpublications(forexample,postcards),thetoptwolanguagesforeachstatemustbeused.Afulllistofthetop15languagesforeachstatecanbefoundat:HHSTop15LanguagesbyState.
B.Writtentranslationsmustbeavailablefor:websites(itappearsthatforphysicianstheentirewebsitedoesnothavetobetranslatedandonlythetaglines/shortnoticesmustbepublishedatthewebsite)andcriticalwrittenmaterialsthatwillbegiventopatientssuchas,dischargenotifications,medicationinstructions,treatmentplans,insurancebenefitsetc.
C.Physiciansmustpostanondiscriminationnotice thatcoversseveralkeyfactors.HHShasa“sample”non-discriminationnotice,at:http://www.hhs.gov/sites/default/files/sample-ce-notice-english.pdfandHHShasprovidedseverallanguagesamplesfortaglines.
Translatorsinalloftheselanguagesavailable?Obviouslyacliniccannotaffordtohiretranslatorsetc.---Googlesearch'languageinterpretersforaffordablecareact'.
Thehealthcareworldofregulationwillcontinueto heightenasweareembroiledin
issuesregardingCybersecurity,Medicarefraudandhealthcare
reform.
BestFriend
![Page 23: Talcott HIPAA Seminar HandoutsPHI -no government plan, so responsibility falls back on the doctor under HIPAA. Value of stolen information Skyrockets: $5-$50 -for identity theft info-as](https://reader036.vdocument.in/reader036/viewer/2022071002/5fbe77db51ad8c2a74282138/html5/thumbnails/23.jpg)
8/9/17
23
A. Notifier: B. Patient Name: C. Identification Number:
Advance Beneficiary Notice of Noncoverage (ABN)
NOTE: If Medicare doesn’t pay for D. below, you may have to pay. Medicare does not pay for everything, even some care that you or your health care provider have good reason to think you need. We expect Medicare may not pay for the D. below.
D. E. Reason Medicare May Not Pay: F. Estimated Cost
WHAT YOU NEED TO DO NOW: • Read this notice, so you can make an informed decision about your care. • Ask us any questions that you may have after you finish reading. • Choose an option below about whether to receive the D. listed above.
Note: If you choose Option 1 or 2, we may help you to use any other insurance that you might have, but Medicare cannot require us to do this.
G. OPTIONS: Check only one box. We cannot choose a box for you.
☐ OPTION 1. I want the D. listed above. You may ask to be paid now, but I also want Medicare billed for an official decision on payment, which is sent to me on a Medicare Summary Notice (MSN). I understand that if Medicare doesn’t pay, I am responsible for payment, but I can appeal to Medicare by following the directions on the MSN. If Medicare does pay, you will refund any payments I made to you, less co-pays or deductibles. ☐ OPTION 2. I want the D. listed above, but do not bill Medicare. You may ask to be paid now as I am responsible for payment. I cannot appeal if Medicare is not billed. ☐ OPTION 3. I don’t want the D. listed above. I understand with this choice I am not responsible for payment, and I cannot appeal to see if Medicare would pay.
H. Additional Information:
This notice gives our opinion, not an official Medicare decision. If you have other questions on this notice or Medicare billing, call 1-800-MEDICARE (1-800-633-4227/TTY: 1-877-486-2048). Signing below means that you have received and understand this notice. You also receive a copy.
I. Signature: J. Date:
According to the Paperwork Reduction Act of 1995, no persons are required to respond to a collection of information unless it displays a valid OMB control number. The valid OMB control number for this information collection is 0938-0566. The time required to complete this information collection is estimated to average 7 minutes per response, including the time to review instructions, search existing data resources, gather the data needed, and complete and review the information collection. If you have comments concerning the accuracy of the time estimate or suggestions for improving this form, please write to: CMS, 7500 Security Boulevard, Attn: PRA Reports Clearance Officer, Baltimore, Maryland 21244-1850.
Form CMS-R-131 (03/11) Form Approved OMB No. 0938-0566
SpecialOffer• RetailPriceof$549.00• DiscountedSeminarPriceof$397.00
SPECIALPRE-PUBLICATIONOFFER;OIGComplianceProgramFREEwithpurchase
ofanyHIPAAproduct,fromthisseminar($399RetailValue)
Call214-437-7559orEmail:[email protected] /
Themostexpensivebutbestwaytogoforthelargerpracticethatknowsitcostmoremoneytotaketheirandstafftimeawayfromthepracticethanitcostsfortheprogram!Dependingonhowmanydoctors,locationsetc.thisprogramisusuallysomewherearound$5000plusexpenses.(Brokeninto3payments!)
ThisisaverypopularAFFORDABLEmidrangeserviceweprovideforauthoringyourHIPAAcompliancemanualforyou;riskanalysis,ISAR,around100pagesofpolicies,customizeddocumentsandforms,andmuchmorerequiredbythegovernment. Thecostisthreepaymentsof$599each.IfyouhavealreadypurchasedtheSurvivalKit,youwillreceiveanimmediate$300creditthatwillapplytowardthepurchaseoftheSilverlevel!