HEALTH INFORMATION SECURITY & COMPLIANCE

Charles Nwasor,Xcellent Technologies

Agenda

2

HIPAA1

Internal Compliance3

2 The New Healthcare Paradigm

Conclusion4

3

HIPAA1

4

HIPAA – Overview Sets standards to assure the Confidentiality,

Integrity, and Availability of PHIHealth Insurance Portability & Accountability Act

(HIPAA)Privacy – individuals’ rights of privacy and standardsSecurity – security of ePHIBreach Notification – reporting breach information

Limits the use and disclosure of confidential information:Protected Health Information (PHI)Electronic Protected Health Information (ePHI)

HIPAA – PHI

5

PHI and Personally Identifiable InformationAny information (verbal, electronic, or written) that relatesto a person’s physical or mental health or payment information

Name Postal Address All elements of Date Telephone Number Fax Number Email Address URL IP Address Social Security Number Account Numbers

License Number Medical Record

Number Health Plan Number Device Identifier Vehicle Identifier Biometric Identifier Full-face Photos Any other unique

identifying number Genetic information

HIPAA – CIA Triad

6

Confidentiality – keeping information from unauthorized access Integrity – safeguarding against unauthorized modification Availability – assuring the constant availability of information

HIPAA – Privacy Rule

7

Establishes rights of privacy and standards for disclosure

Permitted Disclosures Personal Representatives Treatment, Payment and Healthcare Operations Written Authorization/Verbal Consent De-identified Data

Required Disclosures Public Health Activities Law Enforcement

Verification Requirements Notice of Privacy Practices

HIPAA – Security Rule

8

Requires control measures to safeguard the confidentiality, integrity and availability of electronic Protected Health Information (ePHI)

Organizational Requirements – Business Associate Agreements (BAAs)

Security Standards Administrative Physical Technical

Security Management Process Information Access Management Security Awareness and Training

HIPAA – Breach Notification Rule

9

Requires notifications to authorities and/or patients when unsecured PHI has been breached

Defines Breach as the inappropriate use or disclosure that compromises the security and privacy of PHI

Exceptions Unintentional Acquisition by a workforce member Inadvertent Disclosure between workforce members Recipient can not reasonably retain the information

Unsecured PHI – is PHI that has not been rendered unreadable or indecipherable to unauthorized persons

10

2 The New Healthcare Paradigm

The New Healthcare Paradigm

11

12

Internal Compliance3

Internal Compliance Framework

13

Assess Risk •Security Risk Assessment

Plan Corrective Action •Prioritize Controls

Create & Implement Control Measures •Remediate

Internal Compliance Framework

14

Information Security Policy & Technical ControlsAcceptable UseAccess controls & Physical SecuritySecure Software & Malicious CodeSecurity Incident ManagementSanctionsBreach NotificationWorkforce SecuritySecurity Awareness and Training

Proper Conduct and Authorized Disclosures

Internal Compliance Framework

15

Impacts of Non-Compliance

16

Regulatory FinesLawsuits and LiabilityLoss of BusinessProfessional Sanctions

Current Examples

17

Hospice of North Idaho - $50,000Massachusetts Eye and Ear Associates Inc. - $1.5 MillionRiver Falls Medical Clinic – 2,400 Patient Records stolenShands Jacksonville Clinic – 261 Patient Records

photographedGoldthwait Associates, a Billing Service Provider -

$140,000Phoenix Cardiac Surgery, P.C. - $100,000

18

Conclusion4

19

Assuring the Privacy and Security of Patients’ Information is a vital component of providing healthcare.

Questions

20

21

Xcellent Technologies43155 Main Street Suite 2210-DNovi, MI 48375

(248) 956.0538 info@xcellenttechnologies.com

http://www.xcellenttechnologies.com