hipaa audio presentation
DESCRIPTION
HIPAA in the Health Care SettingTRANSCRIPT
![Page 1: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/1.jpg)
LISA D. SHANNON, RN, JD
Understanding The HIPAA Privacy and Security Laws
![Page 2: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/2.jpg)
OBJECTIVES
2
Provide an Overview of the HIPAA Privacy and Security Rules in the Health Care Setting
Summarize the HITECH Security Enhancements of HIPAA
Define how the HITECH Security enhancements impact your Business Associates
Define Security Breaches and the reporting requirements under the HIPAA HITECH enhancements
Offer strategies for compliance with the HIPAA HITECH enhancements
Questions
![Page 3: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/3.jpg)
WHAT IS HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that is designed to protect the privacy and security of patient health information.
This federal legislation enforces: The portability of health care coverage; The security and privacy of health information;
and Accountings of how individual health care
information is handled and protected.
3
![Page 4: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/4.jpg)
SO, HOW HAS HIPAA CHANGED THE
HEALTH CARE PICTURE?
4
![Page 5: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/5.jpg)
THE HIPAA LAWS HAVE IMPACTED THE HEALTH CARE INDUSTRY BY…
Making broad sweeping changes to the way patient information is handled and the way we do business with our patients:
As a result of the HIPAA Laws:
The patient’s control of and access to their health care information has increased; and
Protections for individually identifiable health information from threats of loss or unauthorized disclosure have increased substantially.
5
![Page 6: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/6.jpg)
THE PRIVACY AND SECURITY OF HEALTH INFORMATION
Prior to the enactment of the HIPAA Rules, your personal health information could legally be sold or even used to determine your life insurance premiums or mortgage rate!
The HIPAA Privacy and Security Rules made these practices illegal.
6
![Page 7: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/7.jpg)
BUT FIRST…A FEW WORKING DEFINITIONS
7
![Page 8: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/8.jpg)
DEFINITION…WHAT IS A COVERED ENTITY?
A covered entity (CE) is a health plan, a health care clearing house; or a health care provider who transmits any health information in electronic form in connection with a transaction covered by the HIPAA Privacy and Security Laws.
8
![Page 9: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/9.jpg)
DEFINITION…WHAT IS A BUSINESS ASSOCIATE? A business associate is a person or entity
that performs certain functions or activities that involve the use or disclosure of PHI on behalf of a covered entity.
An example of a business associate would include an independent medical transcriptionist that provides transcription services to a physician.
9
![Page 10: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/10.jpg)
DEFINITION…PROTECTED HEALTH INFORMATION
Protected Health Information or PHI means the individually identifiable health information that is:
Transmitted by electronic media;Maintained in electronic medium; or Transmitted or maintained in any other
form or medium.
10
![Page 11: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/11.jpg)
EXAMPLES OF PROTECTED HEALTH INFORMATION
11
Names Address Social Security number Family History Telephone number Fax number Account numbers Medical Record numbers Email address Dates (birthday,
admission, discharge
Certificate/license numbers
Vehicle ID Personal Assets Device identifiers Biometric (finger or
voice print) Photographs Any unique identifying
number, code or characteristic
Examples of PHI include but are not limited to the following:
![Page 12: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/12.jpg)
WHAT DOES INDIVIDUALLY IDENTIFIABLE MEAN?
Protected Health Information (PHI) under HIPAA includes any individually identifiable health information.
Identifiable refers not only to data that is explicitly linked to a particular individual, it also includes health information that contains data items which could reasonably be expected to allow for individual identification.
12
![Page 13: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/13.jpg)
WHAT ARE SOME FORMS OF PHI?PHI MUST BE PROTECTED REGARDLESS OF ITS FORM OR
MEDIUM
PHI can be in many forms or types of media. Examples include: Paper copies/printed copies Telephone calls and voice mail Photos /videos Verbal communication Fax transmissions Information transmitted over the Internet Email You must take the appropriate precautions to
protect PHI in any form or medium and report violations to your HIPAA Officer/Liaison. 13
![Page 14: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/14.jpg)
WHAT IS SECURED PHI?
Secured PHI, is PHI that has been rendered unusable, unreadable, or indecipherable to unauthorized individuals by one or more of the following methods:
Encryption - the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.
Destruction (for paper or film media PHI) – shredding or destroying PHI in a manner in which it cannot be read or otherwise reconstructed.
14
![Page 15: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/15.jpg)
15
WHAT IS UNSECURED PHI?
Unsecured PHI is PHI in paper or electronic form that has not been secured through the use of a technology or methodology specified by the Department of Health and Human Services (HHS), that makes the PHI unusable, unreadable, or indecipherable to unauthorized individuals.
![Page 16: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/16.jpg)
TREATMENT, PAYMENT AND HEALTHCARE
OPERATIONS
![Page 17: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/17.jpg)
TREATMENT, PAYMENT AND HEALTHCARE OPERATIONS
A Covered Entity may access, use, and/or disclose PHI without patient authorization for:
Treatment – The provision, coordination, or management of health care and related services by healthcare provider(s); this includes 3rd party healthcare providers for treatment alternatives and health-related benefits.
Payment – Activities to determine eligibility benefits and to ensure payment for the provision of healthcare services.
Health Care Operations - Activities that manage, monitor, and evaluate the performance of a health care provider or health plan.
17
![Page 18: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/18.jpg)
EXAMPLES OF TPO:TREATMENT, PAYMENTS, HEALTH CARE
OPERATIONS
18
State Auditors are conducting an internal audit.
A therapist at a health care facility discloses PHI to a practitioner when a referral for services is necessary.
PHI is disclosed to insurance companies for the purpose of payment for services
Treatment
Payment
Health Care Operations
Scenario TPO
![Page 19: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/19.jpg)
THE MINIMUM NECESSARY PRINCIPLE
19
![Page 20: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/20.jpg)
DEFINITION…MINIMUM NECESSARY PRINCIPLE
The Privacy Rules require health care providers to take reasonable steps to limit the use or disclosure of, and requests for, protected health information to the minimum necessary to accomplish the intended purpose.
20
![Page 21: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/21.jpg)
MINIMUM NECESSARY
For Example:
The minimum necessary principle should always be applied when sharing a client’s PHI to protect the client’s privacy, even when sharing PHI with co-workers.
AND…
Only those individuals with a need to know should have access to an individual’s protected health information (PHI).
21
![Page 22: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/22.jpg)
22
MINIMUM NECESSARY DISCLOSURES
Under current law, a CE must make reasonable efforts to limit disclosure of PHI to the “minimum necessary” – an exception exists for treatment purposes;
Under ARRA, HHS will develop further guidance defining what constitutes the minimum necessary;
Until further guidance is issued, a CE is required, to the extent practical to limit disclosures of PHI to the “limited data set” or if more information is needed, the “minimum necessary” to accomplish intended purposes of such use, disclosure, or request;
HHS should issue its guidance no later than August 17, 2010.
![Page 23: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/23.jpg)
AUTHORIZED USES AND DISCLOSURES
OF PHI
23
![Page 24: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/24.jpg)
WHO CAN REQUEST AND AUTHORIZE THE RELEASE OF PHI?
24
Hierarchy for the authorizationand release of PHI.
![Page 25: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/25.jpg)
DEFINITION…WHO IS THE PERSONAL REPRESENTATIVE?
A personal representative is a person legally authorized to make health care decisions on an individual’s behalf or to act for a deceased individual or the estate.
The Privacy Rule requires a Covered Entity to treat a “personal representative” the same as the individual, with respect to uses and disclosures of the individual’s PHI, as well as the individual’s rights under the Rule.
25
![Page 26: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/26.jpg)
AUTHORIZATION AND DISCLOSURE A Covered Entity must obtain the patient’s or the
personal representative’s written authorization for any use or disclosure of PHI that is not for treatment, payment or health care operations or as otherwise permitted or required by the Privacy Rule.
The authorization must be written in specific terms.
Authorization must: Be in plain language; Contain specific information regarding the information to
be disclosed or used; Identify who is disclosing and who is receiving the
information The date and/or event that will signal the expiration of
the authorization; and The right to revoke the authorization
26
![Page 27: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/27.jpg)
PHI RIGHTS CREATED BY THE HIPAA PRIVACY
LAWS
27
![Page 28: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/28.jpg)
AN INDIVIDUAL HAS A RIGHT TO…AN ACCOUNTING OF DISCLOSURES
Individuals have a right to an accounting of the disclosures of their PHI by a Covered Entity or the Covered Entity’s Business Associates.
The maximum disclosure accounting period is the six years immediately preceding the accounting request.
A Covered Entity is not obligated to account for any disclosures made before its Privacy Compliance Date. 28
![Page 29: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/29.jpg)
AN INDIVIDUAL HAS A RIGHT TO… REQUEST AN AMENDMENT
The HIPAA Privacy Rule gives the patient the right to request that a Covered Entity amend the information in his or her record set when and if that information is found to be inaccurate or incomplete. 29
![Page 30: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/30.jpg)
AN INDIVIDUAL HAS A RIGHT TO…REQUEST A RESTRICTION
Individuals have the right to request that a Covered Entity restrict the use or disclosure of their PHI for various purposes. The Covered Entity is under no obligation to agree to requests for restrictions.
A Covered that agrees to the restriction, must comply with the agreed restrictions, except for purposes of treating the individual in a medical emergency.
30
![Page 31: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/31.jpg)
31
RESTRICTIONS ON DISCLOSURES OF OUT-OF-
POCKET SERVICE Previously, a patient could request that a CE
restrict certain disclosures of PHI, however, the CE was not obligated to comply;
Effective February 17, 2010, ARRA requires, at the request of the patient, that a provider not disclose PHI to a plan regarding an item or service paid completely out-of-pocket by the patient, except for treatment purposes.
![Page 32: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/32.jpg)
DEFINITION…PHI SECURITY REQUIREMENTS
A facility must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of PHI in violation of the Privacy Rule and to limit its incidental use and disclosure.
32
![Page 33: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/33.jpg)
“THE AMERICAN RECOVERY &
REINVESTMENT ACT” (ARRA)
OR“THE ACT”
33
![Page 34: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/34.jpg)
HIPAA LAW UPDATE – ARRA“THE AMERICAN RECOVERY AND REINVESTMENT
ACT”
“ARRA” or the “Act” also informally known as the “stimulus bill” was signed into law by President Obama on February 17, 2009.
The Act made significant modifications to the HIPAA Privacy and Security
Rule. Recent and Upcoming Changes: Feb. 17, 2009: Increased Penalty Provisions
Sept. 17, 2009: National Breach Notification Law
Feb. 17, 2010: Business Associates must comply with HIPAA Rules Mandatory Federal Auditing & New and Increased Enforcement
Feb. 2011 Individuals affected by a HIPAA violation will be able to receive a percentage of any civil monetary penalty or monetary settlement collected with respect to such offense.
34
![Page 35: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/35.jpg)
35
ARRA: 2009 HIPAA AMENDMENTS
Within ARRA is the “Health Information Technology and Economic and Clinical Health Act (HITECH).
The HITECH Act contains provisions that significantly
expand the scope of the HIPAA Privacy and Security
requirements.
![Page 36: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/36.jpg)
36
ARRA AND BUSINESS ASSOCIATES
Effective February 17, 2010, HIPAA will treat Business Associates (BA) like Covered Entities (CE) in many respects;
Previously, the HIPAA Privacy and Security Rules only applied to CE’s and the BA’s liability extended only to breach of the business associate contract;
Now, under ARRA, a BA will be required to comply with the HIPAA Privacy and Security Rules, and be subject to the same HIPAA penalties and enforcement as the CE;
Existing business associate agreements (BAA’s) will need to be amended to include the new HIPAA HITECH requirements.
Future BAA’s will need to be drafted include the new HIPAA HITECH requirements.
![Page 37: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/37.jpg)
BREACHES OF PHI
37
![Page 38: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/38.jpg)
38
WHAT IS A BREACH OF PHI?
A “Breach” is defined as the unauthorized acquisition, access, use or disclosure of PHI which compromises the security/privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.
![Page 39: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/39.jpg)
WHAT IS NOT A BREACH OF PHI
A “Breach” excludes: Any unintentional acquisition, access, or use of PHI by a
workforce member or person acting under the authority of a CE or BA, if the acquisition, access, or use was made in good faith and within the scope and authority and does not result in further impermissible use or disclosure;
Any inadvertent disclosure by a person who is authorized to access PHI at a CE or BA to another person authorized to access PHI at the same CE or BA and the information received is not further, used or disclosed in an impermissible manner; or
Disclosure of PHI where a CE or BA has a good faith belief that an authorized person to whom the disclosure was made would not reasonably have been able to retain the PHI.
39
![Page 40: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/40.jpg)
40
BREACH RISK ASSESSMENT?
CEs and BAs are required to perform and document risk assessments on breaches of unsecured PHI to determine if there is a significant risk of harm to the individual as a result of the impermissible use or disclosure.
![Page 41: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/41.jpg)
41
Risk Assessment Decision Tree
![Page 42: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/42.jpg)
42
NEW SECURITY BREACH NOTIFICATION REQUIREMENT
Under ARRA, a CE is required to notify individuals whose unsecured PHI has been, or is reasonably believed to have been accessed, acquired, or disclosed as a result of a breach.
Before the HITECH Act, a CE was not required to notify patients of an improper disclosure or breach of their PHI.
But, a CE always had a duty to… Mitigate harm; and Account for wrongful disclosures.
![Page 43: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/43.jpg)
WHAT MUST THE NOTICE INCLUDE? ARRA requires that a Breach Notice include:
A brief description of what happened, including the breach date and breach discovery date, if known;
A description of the types of unsecured PHI involved in the breach; The steps individuals should take to protect themselves from potential
harm from the breach; A brief description of the steps the CE is taking to investigate the
breach, mitigate losses and protect against any further breaches; and Contact procedures for individuals to follow to ask questions or obtain
additional information, including a toll-free telephone number, an email address, Web site or postal address.
If a law enforcement official determines that a notification, notice or posting regarding a PHI breach would impede a criminal investigation or cause damage to national security, the health care provider or business associate must delay all notifications.
43
![Page 44: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/44.jpg)
44
THE NOTICE OF A BREACH OF UNSECURED PHI SHALL…
Provide notice of breach without “unreasonable delay” from date of discovery – not to exceed 60 days;
If more than 500 persons are affected, the CE must notify HHS and other prominent media outlets serving the area;
The CE must maintain a log of all breaches and submit it annually to HHS;
A BA is not required to send those affected, a notice of breach – it is the CE’s responsibility!!!
Oftentimes the BA will participate in the notification process because of an existing relationship with the affected party.
![Page 45: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/45.jpg)
45
BUSINESS ASSOCIATE BREACH RESPONSIBILITIES?
In the instance of a breach, the Business Associate shall, without unreasonable delay and in no case, not later than 60 calendar days after the discovery of a breach, notify the Covered Entity of the breach.
The notice shall include the identification of each individual whose unsecured PHI has been, or is reasonably believed by the business associate to have been, accessed, acquired, or disclosed during the breach.
The Business Associate’s responsibility under the HITECH Act should be included in the Covered Entity’s business associate agreement (BAA) with the Business Associate.
![Page 46: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/46.jpg)
46
EXCEPTIONS TO THE BREACH NOTIFICATION RULE
The breach notification requirements apply only to breaches of “unsecured” PHI.
Secured PHI is not subject to the breach notification rules. (Safe Harbor Rule)
![Page 47: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/47.jpg)
47
SWIMMING IN THE BREACH NOTIFICATION
SAFE HARBOR?
CEs and BAs are not required to follow the Department of Health and Human Services’ guidance on how PHI can be secured.
BUT…
If the CE or BA does follow the HHS guidance, these steps create the functional equivalent of a safe harbor and thus result in the CE and BA not being subject to the Breach Notification Rules.
![Page 48: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/48.jpg)
48
THE BREACH LOG
A CE or BA shall maintain a process to record or log all
breaches of unsecured PHI regardless of the number of
patients affected.
The following information should be collected and/or logged: A description of what happened, including the date
of the breach, the date of the discovery of the breach, and the number of patients affected, if known;
A description of the types of unsecured protected health information that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, etc.); and
A description of the action taken with regard to notification of patients regarding the breach.
![Page 49: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/49.jpg)
ENFORCEMENT & ACCOUNTABILITY
49
![Page 50: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/50.jpg)
ENFORCEMENT & ACCOUNTABILITY
The HIPAA regulations punish individuals or organizations that fail to keep PHI confidential.
Criminal penalties for knowingly violating the HIPAA rules may include monetary fines as well as imprisonment.
Civil penalties now range from $25,000 to $1.5 million, depending on the intent of the violation
50
![Page 51: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/51.jpg)
INCREASED FINES AND PENALTIES
Tier A (if the offender did not know, and by exercising reasonable diligence would not have known, that he/she violated the law):
$100 for each violation, except that the total amount imposed for all violations of an identical requirement during a calendar year may not exceed $25,000.
Tier B (if the violation was due to a reasonable cause and not willful neglect): $1,000 for each violation, …may not exceed $100,000.
Tier C (if the violation was due to willful neglect but was corrected) $10,000 for each violation, … may not exceed $250,000
Tier D (if the violation was due to willful neglect and was not corrected) $50,000 for each violation, … may not exceed $1.5 million
51
![Page 52: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/52.jpg)
STRATEGIES FOR HIPAA
COMPLIANCE
![Page 53: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/53.jpg)
53
STRATEGIES FOR COMPLIANCE
• Compliance strategies at their core, must be based upon…
• Planning; and • Documentation.
![Page 54: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/54.jpg)
54
THE PRIVACY AND SECURITY OF PHI
It is all about Common Sense; and
Treating all PHI as if it were your own!
![Page 55: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/55.jpg)
55
A BASIC HIPAA COMPLIANCE INITIATIVE
The project management and communications arrows surround the phases because these activities are continuous for as long as the implementation project is in progress.
![Page 56: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/56.jpg)
56
STEP 1. UNDERSTAND HIPAA.
•Read, understand and interpret the HIPAA regulations ;
•Familiarize yourself with the compliance timelines and penalties ;
•Determine what part of your organization is impacted by the regulations;
•Determine if your organization is a covered entity or a hybrid entity under HIPAA;
•Conduct awareness training for all employees ;
•Establish a steering committee to oversee and guide the HIPAA effort; •Organize a team of people to track and manage the HIPAA activities ;
![Page 57: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/57.jpg)
57
STEP 1. UNDERSTAND HIPAA (CONT.).
•Develop a strategic plan so that everyone in the organization understands the mission, goals, and objectives of the effort ;
•Analyze the HIPAA regulations against existing organization specific rules, directives, enterprise policies, etc. ; and
•Analyze the HIPAA regulations against potentially preemptive, superseding, or conflicting State and Federal law.
![Page 58: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/58.jpg)
58
•Identify privacy and security officers in each covered entity, or if using the hybrid entity model, covered health care components; •Develop an assessment method;
•Conduct assessment activities;
•Identify your business associates and PHI electronic trading partners;
•Document potential impacts (gaps); and
•Refine your budget estimates.
STEP 2. BASELINE THE ORGANIZATION.
![Page 59: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/59.jpg)
59
•Determine what needs to be done to close the gaps;•Document your business compliance strategy; •Document your technical compliance strategy; •Refine your budget estimates as necessary; •Seek additional funding commitment if necessary; •Organize and/or recruit the staff necessary to close the gaps.
STEP 3. PLAN REMEDIATION STRATEGIES.
![Page 60: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/60.jpg)
60
•Conduct appropriate levels of training;
•Establish/amend formal trading partner agreements and business associate contracts as necessary;
•Modify (remediate) business processes, business application systems, and technical infrastructure as necessary to comply; and
• Test and/or pilot modifications.
STEP 4. REMEDIATE THE ORGANIZATION.
![Page 61: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/61.jpg)
61
•Develop and deploy self-verification tools and/or techniques that can be used by sub-sections of the organization to verify that they have met the requirements of HIPAA;
• Determine whether independent validation and verification techniques will be used in any of the regulation areas; and
• Solicit external validation and verification assistance as necessary.
STEP 5. VALIDATE COMPLIANCE.
![Page 62: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/62.jpg)
62
•Develop and implement an ongoing compliance training programs for privacy officers, security officers, new employees, etc. ;
•Determine whether an ongoing HIPAA compliance office is necessary and establish one if necessary; •Develop and implement an audit program to ensure ongoing compliance; and •Establish change management processes so that you are prepared to deal with future changes in the HIPAA law or to individual regulation areas
STEP 6. MAINTAIN COMPLIANCE.
![Page 63: HIPAA Audio Presentation](https://reader033.vdocument.in/reader033/viewer/2022042601/54b880554a79595e608b458e/html5/thumbnails/63.jpg)
QUESTIONS?
63