hipaa: where are we and where are we going?? a survey of the current hipaa landscape gail edson...

HIPAA: Where Are We and HIPAA: Where Are We and Where Are We Going??Where Are We Going??

A Survey of the Current A Survey of the Current HIPAA LandscapeHIPAA Landscape

Gail Edson HaltermanGail Edson HaltermanLathrop & Gage L.C.Lathrop & Gage L.C.

HCCA Region VII ConferenceHCCA Region VII ConferenceAugust 1, 2003August 1, 2003

August 1, 2003August 1, 2003

►We have had:We have had: 109 Days of Privacy109 Days of Privacy

►We have:We have: 74 Days Until Standard 74 Days Until Standard

Transactions and Transactions and Medicare’s Required Medicare’s Required Electronic Claims Electronic Claims Submission (October 16, Submission (October 16, 2003)2003)

624 Days to Get Secure 624 Days to Get Secure (April 21, 2005)(April 21, 2005)

PRIVACY: Where are We?PRIVACY: Where are We?

► April 14, 2003: The ENFORCEMENT DateApril 14, 2003: The ENFORCEMENT Date The Office of Civil Rights (OCR) is the The Office of Civil Rights (OCR) is the

ENFORCERENFORCER OCR has received several hundred OCR has received several hundred

complaintscomplaints►Some Complaints were not properly filedSome Complaints were not properly filed►Continual re-emphasis that OCR is the kinder, Continual re-emphasis that OCR is the kinder,

gentler enforcement agencygentler enforcement agency

No indication by OCR that Penalties have No indication by OCR that Penalties have been imposedbeen imposed

PRIVACY: COMPLAINTSPRIVACY: COMPLAINTS

►March 20, 2003 – HHS Issues Complaint Process March 20, 2003 – HHS Issues Complaint Process in the Federal Registerin the Federal Register

► Complaints must:Complaints must: Be filed in writing, either on paper or electronically Be filed in writing, either on paper or electronically

(OCR Form recommended)(OCR Form recommended) Name the entity that is the subject of the complaint Name the entity that is the subject of the complaint

and describe the acts or omissions in violation of the and describe the acts or omissions in violation of the statute or regulations;statute or regulations;

Be filed within 180 days when the complainant knew Be filed within 180 days when the complainant knew or should have known that the act or omission or should have known that the act or omission occurred;occurred;

Relate to violations that occurred AFTER April 14, Relate to violations that occurred AFTER April 14, 20032003

PRIVACY: COMPLAINTSPRIVACY: COMPLAINTS

► Complaints can be made by anyone – the Complaints can be made by anyone – the regulations do not specify that it must be regulations do not specify that it must be the subject of the informationthe subject of the information

► Complaints must be mailed, faxed or Complaints must be mailed, faxed or emailed to the OCR regional office in which emailed to the OCR regional office in which the covered entity is locatedthe covered entity is located

► Region VII (IA, KS, MO or NE): OCR, 601 E Region VII (IA, KS, MO or NE): OCR, 601 E 1212thth Street, KC, MO 64106 (816) 426-7278, Street, KC, MO 64106 (816) 426-7278, fax: (816) 426-3686 or fax: (816) 426-3686 or [email protected]

PRIVACY: EnforcementPRIVACY: Enforcement

► General Approach to enforcement:General Approach to enforcement: HHS “intends to seek and promote voluntary HHS “intends to seek and promote voluntary

compliance with the rules promulgated to carry compliance with the rules promulgated to carry out the HIPAA Provisions.”out the HIPAA Provisions.”

OCR “will seek the cooperation of covered entities OCR “will seek the cooperation of covered entities in obtaining compliance. . .[and] will seek to in obtaining compliance. . .[and] will seek to resolve matters by informal means before issuing resolve matters by informal means before issuing findings of non-compliance.findings of non-compliance.

CMS “Enforcement Activities will focus on CMS “Enforcement Activities will focus on obtaining voluntary compliance through technical obtaining voluntary compliance through technical assistance. The process will be primarily assistance. The process will be primarily complaint driven and will consist of progressive complaint driven and will consist of progressive steps that will provide opportunities to steps that will provide opportunities to demonstrate compliance or submit a corrective demonstrate compliance or submit a corrective action plan.”action plan.”

EnforcementEnforcement

► Violations:Violations:

Civil Penalties – Civil Penalties –

►up to $100 per violation, not to up to $100 per violation, not to exceed $25,000 per yearexceed $25,000 per year

►Defenses - no willfulness Defenses - no willfulness involvement; organization involvement; organization exercised reasonable diligenceexercised reasonable diligence

EnforcementEnforcement

Criminal Penalties Criminal Penalties ► applies in knowing violations of applies in knowing violations of

regulationsregulations► Can be subject to fines of not more Can be subject to fines of not more

than $50,000 or jail time of not more than $50,000 or jail time of not more than 1 year or boththan 1 year or both

► If the offense is committed under false If the offense is committed under false pretenses, can be subject to fines of pretenses, can be subject to fines of not more than $100,000 or imprisoned not more than $100,000 or imprisoned for not more than 5 years or bothfor not more than 5 years or both

► If the offense involves the intent to sell If the offense involves the intent to sell or transfer PHI for commercial gain or or transfer PHI for commercial gain or malicious harm, can be subject to fines malicious harm, can be subject to fines of not more than $250,000 or jail time of not more than $250,000 or jail time of 10 years or both.of 10 years or both.


► Interim Rules related to civil money Interim Rules related to civil money penalties (CMPs) issued April 17, 2003penalties (CMPs) issued April 17, 2003

► Enforcement Regulations are applicable to Enforcement Regulations are applicable to investigations, imposition of penalties and investigations, imposition of penalties and hearings conducted as a result of proposed hearings conducted as a result of proposed CMPs.CMPs.

►Not a lot of new informationNot a lot of new information►Waiting for more!Waiting for more!


►Requires HHS to provide written notice Requires HHS to provide written notice to Covered Entity of proposed penalty to Covered Entity of proposed penalty

►Notice must contain:Notice must contain: A description of the findings of factA description of the findings of fact Reasons why the penalty is being Reasons why the penalty is being

proposedproposed Instructions for response to the Notice, Instructions for response to the Notice,

including the right to request a hearingincluding the right to request a hearing


► If a hearing is requested, it is heard before an If a hearing is requested, it is heard before an administrative judge.administrative judge.

► The request for hearing must meet certain The request for hearing must meet certain specificationsspecifications

► Secretary of HHS has authority to settle Secretary of HHS has authority to settle disputesdisputes


►What We KnowWhat We Know CMPs only for CMPs only for

Knowing ViolationsKnowing Violations CMPs can be CMPs can be

reduced or waivedreduced or waived 6 year statute of 6 year statute of

limitations on limitations on violations for CMP violations for CMP purposespurposes

Due process issues Due process issues exist in current ruleexist in current rule

►What We Don’t What We Don’t KnowKnow Does a HIPAA Does a HIPAA

violation have an violation have an impact on impact on compliance with compliance with Medicare Conditions Medicare Conditions of Participation?of Participation?

Details of how CMPs Details of how CMPs will be determinedwill be determined

PRIVACY: Certification of PRIVACY: Certification of Business AssociatesBusiness Associates

► Joint Commission on Accreditation of Joint Commission on Accreditation of Health Care Organizations (JCAHO) and Health Care Organizations (JCAHO) and the National Committee or Quality the National Committee or Quality Assurance (NCQA) will be certifying Assurance (NCQA) will be certifying business associatesbusiness associates

► 8 Organizations have committed to 8 Organizations have committed to seeking certificationseeking certification

► Any type of BA is eligible for certificationAny type of BA is eligible for certification► Once certification application is Once certification application is

submitted, a survey of practices is submitted, a survey of practices is conducted to see compliance with JCAHO conducted to see compliance with JCAHO and NCQA standardsand NCQA standards

PRIVACY: CertificationPRIVACY: Certification

► Standards for Certification of Business Standards for Certification of Business Associates issued and are intended to Associates issued and are intended to address:address: Privacy protections the business associate uses Privacy protections the business associate uses

for oral, written and electronic health informationfor oral, written and electronic health information Employee training in protecting PHIEmployee training in protecting PHI Consumer access to health information held by Consumer access to health information held by

the business associatethe business associate Contracting between covered entities and the Contracting between covered entities and the

business associatebusiness associate► Standards were not available at the time of Standards were not available at the time of

presentation material deadlinepresentation material deadline

PRIVACY: PRIVACY: IMPLEMENTATION QUESTIONSIMPLEMENTATION QUESTIONS

► Biggest areas of questions/concerns thus far:Biggest areas of questions/concerns thus far: BUSINESS ASSOCIATES BUSINESS ASSOCIATES

►Are they or aren’t they?Are they or aren’t they?►Remember “extension” deadline for all contracts is April Remember “extension” deadline for all contracts is April

14, 200414, 2004

RESEARCH RESEARCH ►When can we use PHI for Reviews Preparatory to ResearchWhen can we use PHI for Reviews Preparatory to Research

RESPONDING TO SUBPOENASRESPONDING TO SUBPOENAS ACCOUNTING OF DISCLOSURESACCOUNTING OF DISCLOSURES LAW ENFORCEMENT COMMUNICATIONSLAW ENFORCEMENT COMMUNICATIONS

BUSINESS ASSOCIATESBUSINESS ASSOCIATES

►No need for Business Associate No need for Business Associate Agreement in TREATMENT situationsAgreement in TREATMENT situations

►COVERED ENTITY has the obligation to COVERED ENTITY has the obligation to obtain the Business Associate obtain the Business Associate AgreementAgreement

►TWO PART TEST:TWO PART TEST: Do they perform a service or function Do they perform a service or function on on

behalf ofbehalf of a COVERED ENTITY? a COVERED ENTITY? Do they receive PHI in doing so?Do they receive PHI in doing so?

REVIEWS PREPARATORY REVIEWS PREPARATORY TO RESEARCHTO RESEARCH

► A covered entity can use or disclose PHI to a A covered entity can use or disclose PHI to a researcher IF the researcher represents:researcher IF the researcher represents: The use or disclosure is requested solely to The use or disclosure is requested solely to

review PHI as necessary to prepare a research review PHI as necessary to prepare a research protocol or for a similar purpose;protocol or for a similar purpose;

The PHI will not be removed from the covered The PHI will not be removed from the covered entity in the course of the review (including entity in the course of the review (including notes of the researcher); andnotes of the researcher); and

The PHI requested is necessary for the The PHI requested is necessary for the researcherresearcher

RESPONDING TO SUBPOENASRESPONDING TO SUBPOENAS

► Generally – No disclosure pursuant to a Generally – No disclosure pursuant to a subpoena UNLESS:subpoena UNLESS: Qualified Protective OrderQualified Protective Order WrittenWritten assurances from party seeking the assurances from party seeking the

information:information:►Of a good faith attempt to provide notice to the subject Of a good faith attempt to provide notice to the subject

and no objection was made; orand no objection was made; or►That a request for a Qualified Protective Order has been That a request for a Qualified Protective Order has been

submitted to the Court.submitted to the Court.

► Workers CompensationWorkers Compensation If state law allows party issued subpoenas – may If state law allows party issued subpoenas – may

disclose PHI pursuant to subpoenadisclose PHI pursuant to subpoena

ACCOUNTING FOR ACCOUNTING FOR DISCLOSURESDISCLOSURES

► Right to an AccountingRight to an Accounting patient may request accounting of uses and patient may request accounting of uses and

disclosures made within the last 6 years disclosures made within the last 6 years (beginning 4/14/03).(beginning 4/14/03).

An Accounting must be given within 60 days An Accounting must be given within 60 days of request.of request.

Disclosures NOT included in Disclosures NOT included in AccountingAccounting

► Disclosures made for TPODisclosures made for TPO► Disclosures for which there has been Disclosures for which there has been

an opportunity to object (as an opportunity to object (as permitted)permitted)

► Disclosures made incidental to Disclosures made incidental to permissible disclosurespermissible disclosures

► Disclosures made pursuant to an Disclosures made pursuant to an authorizationauthorization

Disclosures NOT included in Disclosures NOT included in AccountingAccounting

► Disclosures for national security or Disclosures for national security or intelligence purposesintelligence purposes

► Disclosures made to correctional Disclosures made to correctional institutions and law enforcement officialsinstitutions and law enforcement officials

► Disclosures made as part of a limited data Disclosures made as part of a limited data setset

► Disclosures that occurred prior to 4/14/03Disclosures that occurred prior to 4/14/03

So What Must Be Included in So What Must Be Included in an Accounting?!an Accounting?!

► Uses or Disclosures made by mistake Uses or Disclosures made by mistake (i.e. violations)(i.e. violations)

► Most of the Most of the PERMITTEDPERMITTED uses and uses and disclosures:disclosures: Except for disclosures made:Except for disclosures made:

► For National Security or Intelligence PurposesFor National Security or Intelligence Purposes► To Law EnforcementTo Law Enforcement► To Correctional FacilitiesTo Correctional Facilities

So What Must Be Included in So What Must Be Included in an Accounting?!an Accounting?!

► PERMITTED DISCLOSURES = all other PERMITTED DISCLOSURES = all other disclosures (not included in an disclosures (not included in an exception above) listed in 45 CFR exception above) listed in 45 CFR § § 164.512164.512

LAW ENFORCEMENT LAW ENFORCEMENT COMMUNICATIONSCOMMUNICATIONS

► Can Provide PHI to Law Enforcement IF:Can Provide PHI to Law Enforcement IF: Required by Law to Do So (e.g. reporting gunshot wounds)Required by Law to Do So (e.g. reporting gunshot wounds) In compliance with court, grand jury or administrative In compliance with court, grand jury or administrative

agency-ordered warrant or subpoena or requestagency-ordered warrant or subpoena or request Limited info for identification and location purposes Limited info for identification and location purposes

(suspect, fugitive, material witness or missing person)(suspect, fugitive, material witness or missing person) Victim of a Crime and individual agrees or it is in the best Victim of a Crime and individual agrees or it is in the best

interest of the individualinterest of the individual For purposes of alerting to the death of individual if death For purposes of alerting to the death of individual if death

resulted from crimeresulted from crime Reporting a crime on the premisesReporting a crime on the premises Reporting crime in emergenciesReporting crime in emergencies

TRANSACTIONS & CODE SETSTRANSACTIONS & CODE SETS

Transactions and Code SetsTransactions and Code SetsA Quick OverviewA Quick Overview

► The Standards regulate the transmission of The Standards regulate the transmission of electronic data and require standard electronic data and require standard formatting for the transmissions.formatting for the transmissions.

► Accredited Standards Committee’s Accredited Standards Committee’s Insurance Subcommittee (ANSI X12N): Insurance Subcommittee (ANSI X12N): define how electronic data is to be define how electronic data is to be structured to accurately and consistently structured to accurately and consistently represent data contained in paper based represent data contained in paper based documents. documents.

Transactions and Code SetsTransactions and Code Sets

► Any time you are engaging in these 8 Any time you are engaging in these 8 activities electronically (or someone is activities electronically (or someone is on your behalf) you must comply.on your behalf) you must comply.

► 8 Standard Transactions8 Standard Transactions health care claims or equivalent encounter health care claims or equivalent encounter

information (including Medicaid claims) information (including Medicaid claims) (837);(837);

eligibility for a health plan (270/271);eligibility for a health plan (270/271); referral certification or authorization (278);referral certification or authorization (278); health care claim status (276/277);health care claim status (276/277);

Transactions and Code SetsTransactions and Code Sets

► 8 Standard Transactions (con’t):8 Standard Transactions (con’t): enrollment and disenrollment in a health enrollment and disenrollment in a health

plan (834);plan (834); health care payment and remittance health care payment and remittance

advice (835);advice (835); health plan premium payments (820); health plan premium payments (820);

andand coordination of benefits (837)coordination of benefits (837)

Code Sets RequiredCode Sets Required

► Current Procedure Terminology (CPT-4)Current Procedure Terminology (CPT-4) For Physician and other related servicesFor Physician and other related services

► International Classification of Diseases, Clinical International Classification of Diseases, Clinical Modification (ICD-9-CM)Modification (ICD-9-CM) For diagnosis and inpatient hospital servicesFor diagnosis and inpatient hospital services

► HCFA Common Procedure Coding Systems (HCPCS)HCFA Common Procedure Coding Systems (HCPCS) For physician and other related servicesFor physician and other related services

► Code on Dental Procedures and Nomenclature Code on Dental Procedures and Nomenclature (CDT-2)(CDT-2) For dental servicesFor dental services

► NCPDP OR NDCNCPDP OR NDC For Retail Drug ClaimsFor Retail Drug Claims

Code Sets Indirectly Code Sets Indirectly RecognizedRecognized

► UB-92UB-92► HCFA 1500HCFA 1500► Non-medical codes (revenue codes, Non-medical codes (revenue codes,

etc.)etc.)

Electronic TransactionsElectronic Transactions

► After October 16, 2003, Medicare will After October 16, 2003, Medicare will no longer accept paper claims (some no longer accept paper claims (some exceptions apply)exceptions apply)

► Likely Medicaid and Private Payors will Likely Medicaid and Private Payors will follow!follow!

Implementation GuidesImplementation Guides

► What are they?What are they? Format: how information should be arrangedFormat: how information should be arranged Content: what information should be includedContent: what information should be included Code Sets: how information should be reportedCode Sets: how information should be reported Order or Download from:Order or Download from:

► http://www.wpc-edi.com/hipaa/HIPAA_40.asp► Many, many pages (For example: Many, many pages (For example:

Implementation Guide for 837 Professional Implementation Guide for 837 Professional Claims is 768 pages)Claims is 768 pages)

TRANSACTIONS & CODE TRANSACTIONS & CODE SETSSETS

► 74 days until the “TRAIN WRECK”74 days until the “TRAIN WRECK”► AHA and other associations have great concern AHA and other associations have great concern

about the ability to go about our business on and about the ability to go about our business on and after October 16, 2003 and have urged Congress after October 16, 2003 and have urged Congress to consider another extension, or at least to consider another extension, or at least remedial efforts to address payment issuesremedial efforts to address payment issues

► National Committee on Vital and Health National Committee on Vital and Health Statistics recommends no delay but “flexible Statistics recommends no delay but “flexible enforcement”enforcement”

► Where are you in your readiness?Where are you in your readiness?

RESOURCESRESOURCES

► Resource: Strategic Resource: Strategic National Implementation National Implementation Process: SNIPProcess: SNIP www.wedi.org/snip (National) (National) www.mosnip.com (Missouri) (Missouri) www.hark.info (Kansas) (Kansas) www.iowasnip.org (Iowa) (Iowa) www.nesnip.org (Nebraska) (Nebraska)

THE SECURITY RULETHE SECURITY RULE

SECURITY: The New Kid On the SECURITY: The New Kid On the BlockBlock

► Enforcement Date: Enforcement Date: April 21, 2005April 21, 2005

► Requires physical, Requires physical, administrative and administrative and technical safeguards be technical safeguards be in place to protect in place to protect ELECTRONIC PHI (EPHI)ELECTRONIC PHI (EPHI)

► HOWEVER – Privacy HOWEVER – Privacy Rule requires that Rule requires that covered entities have covered entities have physical, administrative physical, administrative and technical and technical safeguards in place to safeguards in place to protect PHI in any form protect PHI in any form or mediumor medium

SECURITYSECURITY

►No answer from HHS as to whether No answer from HHS as to whether standards for security will be required standards for security will be required for privacy RIGHT NOW. for privacy RIGHT NOW.

Intent of the Security RuleIntent of the Security Rule

► Ensure confidentiality, integrity and Ensure confidentiality, integrity and availability of all availability of all electronicelectronic PHI PHI

► Protect against reasonably Protect against reasonably anticipated threats or hazardsanticipated threats or hazards

► Protect against any reasonably Protect against any reasonably anticipated use or disclosure not anticipated use or disclosure not required or permitted by the Privacy required or permitted by the Privacy RuleRule

Intent of Security RuleIntent of Security Rule

► Use any security measure deemed appropriate by Use any security measure deemed appropriate by the entity to the entity to reasonablyreasonably implement the Security implement the Security standards – Each entity MUST make documented standards – Each entity MUST make documented security implementation decisions that take into security implementation decisions that take into account itsaccount its Risk analysisRisk analysis Structure, etc.Structure, etc. CostCost Technical capabilitiesTechnical capabilities

Security Regulations Security Regulations OverviewOverview

► Requires Standards Requires Standards and and Implementation Implementation Specifications for:Specifications for: Administrative Administrative

SafeguardsSafeguards Physical SafeguardsPhysical Safeguards Technical Technical

SafeguardsSafeguards


► All standards are required (18)All standards are required (18)► Some implementation specifications Some implementation specifications

are required, some are merely are required, some are merely “addressable” (i.e. suggested)“addressable” (i.e. suggested)

► ““Addressable” Addressable” shouldshould allow for allow for flexibilityflexibility

► There is no distinction between data There is no distinction between data at rest and data in transmissionat rest and data in transmission


► Paper-to-paper faxes, person-to-Paper-to-paper faxes, person-to-person telephone calls, video person telephone calls, video teleconferencing, or messages left on teleconferencing, or messages left on voicemail are not covered by the voicemail are not covered by the Security RegulationsSecurity Regulations

Standards: Standards: Administrative SafeguardsAdministrative Safeguards► Standard: A Standard: A

covered entity covered entity must implement must implement policies and policies and procedures to procedures to prevent, detect, prevent, detect, contain and correct contain and correct security violationssecurity violations

► REQUIRED REQUIRED Implementation:Implementation: Risk AnalysisRisk Analysis Risk ManagementRisk Management Sanctions PolicySanctions Policy Information System Information System

Activity Review (i.e. Activity Review (i.e. internal audit)internal audit)

Standards: Standards: Administrative SafeguardsAdministrative Safeguards► Standard: Assign Standard: Assign

Security Security ResponsibilityResponsibility

► REQUIRED REQUIRED Implementation: Implementation: Identify the Identify the security official who security official who is responsible for is responsible for the security the security practicespractices

Standards: Standards: Administrative SafeguardsAdministrative Safeguards► Standard: Standard:

Workforce SecurityWorkforce Security

Implement policies Implement policies and procedures to and procedures to ensure workforce ensure workforce has appropriate has appropriate accessaccess

► ADDRESSABLE ADDRESSABLE Implementation:Implementation: Authorization Authorization

and/or supervisionand/or supervision Workforce Workforce

clearanceclearance Termination Termination

procedures (when procedures (when employees exit)employees exit)

Standards: Standards: Administrative SafeguardsAdministrative Safeguards► Standard: Information Standard: Information

Access ManagementAccess Management Implement policies and Implement policies and

procedures for procedures for authorizing access authorizing access consistent with the consistent with the Privacy RulePrivacy Rule

► REQUIRED REQUIRED Implementation:Implementation: Isolating health care Isolating health care

clearinghouse clearinghouse functionsfunctions

► ADDRESSABLE ADDRESSABLE Implementation:Implementation: Access authorizationAccess authorization Access Access

establishment and establishment and modificationmodification

Standards: Standards: Administrative SafeguardsAdministrative Safeguards► Standard: Security Standard: Security

Awareness and Awareness and TrainingTraining Implement security Implement security

awareness training awareness training program for all program for all members of the members of the workforce workforce (including (including management)management)

► ADDRESSABLE ADDRESSABLE Implementation:Implementation: Security RemindersSecurity Reminders Protection from Protection from

Malicious SoftwareMalicious Software Log-in MonitoringLog-in Monitoring Password Password

ManagementManagement

Standards: Standards: Administrative SafeguardsAdministrative Safeguards► Standard: Security Standard: Security

Incident ProceduresIncident Procedures Implement policies and Implement policies and

procedures to address procedures to address security incidentssecurity incidents

► REQUIRED REQUIRED Implementation:Implementation:

Response and Response and Reporting Reporting (instructions for (instructions for reporting and reporting and responding to responding to security breaches security breaches and documentation and documentation of security incidents of security incidents and their outcomes)and their outcomes)


Contingency PlanContingency Plan Establish (and Establish (and

implement as implement as needed) policies needed) policies and procedures for and procedures for responding to an responding to an emergency or other emergency or other occurrence that occurrence that damages systemsdamages systems

that contains that contains PHIPHI

► REQUIRED REQUIRED Implementation:Implementation: Data Backup PlanData Backup Plan Disaster Recovery, Disaster Recovery,

Emergency Mode Emergency Mode Operations PlanOperations Plan

► ADDRESSABLE ADDRESSABLE Implementation: Implementation: Testing and Revision Testing and Revision

ProceduresProcedures Applications and Data Applications and Data

Criticality AnalysisCriticality Analysis


EvaluationEvaluation Perform periodic Perform periodic

technical and non-technical and non-technical evaluation technical evaluation in response to in response to environmental or environmental or operational operational changeschanges

► No Implementation No Implementation Specifications, but Specifications, but examples include:examples include: Updating softwareUpdating software Evaluating Evaluating

performance of performance of system and make system and make necessary necessary adjustmentsadjustments

Standards: Standards: Administrative SafeguardsAdministrative Safeguards► Business Associate Business Associate

Contracts Contracts No more “Chain of No more “Chain of

Trust”Trust” Satisfactory Satisfactory

Assurances that Assurances that business associate business associate will appropriately will appropriately safeguard safeguard informationinformation

► REQUIRED REQUIRED Implementation:Implementation: Written ContractWritten Contract

► Ensure security is Ensure security is also covered in also covered in privacy Business privacy Business Associate Associate AgreementAgreement

Standards:Standards:Physical SafeguardsPhysical Safeguards

► Standard: Facility Standard: Facility Access ControlAccess Control Implement policies Implement policies

and procedures to and procedures to limit physical limit physical access to electronic access to electronic informationinformation

► ADDRESSABLE ADDRESSABLE Implementation:Implementation: Contingency Contingency

OperationsOperations Facility Security Facility Security

PlanPlan Access control and Access control and

validationvalidation Maintenance Maintenance

RecordsRecords


► Standard: Standard: Workstation UseWorkstation Use Implement policies Implement policies

and procedures that and procedures that specify functions, specify functions, physical attributes physical attributes of surroundings and of surroundings and manner in which manner in which functions performedfunctions performed

► No Implementation No Implementation Specifications, but Specifications, but examples include:examples include: Moving screens Moving screens

away from common away from common areas, etc.areas, etc.


► Standard: Standard: Workstation Workstation SecuritySecurity Safeguards for Safeguards for

access access

► No Implementation No Implementation Specifications, but Specifications, but examples include:examples include: Restricting Access Restricting Access

to authorized usersto authorized users Using Password Using Password

protections, etc.protections, etc.


► Standard: Device Standard: Device and Media Controlsand Media Controls Govern the receipt Govern the receipt

and removal of and removal of hardware and hardware and electronic media electronic media into and out of into and out of facility, and facility, and movement within movement within facilityfacility

► REQUIRED REQUIRED Implementation:Implementation: Disposal (where do Disposal (where do

your hard drives your hard drives go?)go?)

Media re-useMedia re-use

► ADDRESSABLE ADDRESSABLE Implementation:Implementation: AccountabilityAccountability Data backup and Data backup and

storagestorage

Standards: Standards: Technical SafeguardsTechnical Safeguards

► Standard: Access Standard: Access ControlControl Technical Technical

safeguards to limit safeguards to limit accessaccess

► REQUIRED REQUIRED Implementation:Implementation: Unique User Unique User

IdentificationIdentification Emergency Access Emergency Access

ProceduresProcedures► ADDRESSABLE ADDRESSABLE

Implementation:Implementation: Automatic LogoffAutomatic Logoff Encryption and Encryption and

DecryptionDecryption


► Standard: Audit Standard: Audit ControlsControls Implement Implement

mechanisms that mechanisms that record and examine record and examine activity in activity in information information systemssystems

► No Implementation No Implementation Specifications, but Specifications, but examples includeexamples include Using network Using network

intrusion detectionintrusion detection Performing system Performing system

wide evaluationwide evaluation

General SafeguardsGeneral Safeguards

► Standard: Draft Standard: Draft Policies and Policies and Procedures Procedures

► Standard: Standard: DocumentationDocumentation

► REQUIRED REQUIRED Implementation:Implementation: Record retention of Record retention of

policies and policies and procedures – at procedures – at least 6 yearsleast 6 years

AvailabilityAvailability UpdatesUpdates


► Standard: IntegrityStandard: Integrity Implement Implement

safeguards to safeguards to protect electronic protect electronic PHI from improper PHI from improper alteration or alteration or destructiondestruction

► ADDRESSABLE ADDRESSABLE Implementation:Implementation: Mechanisms that Mechanisms that

corroborate that corroborate that information has not information has not been altered or been altered or destroyeddestroyed


► Standard: Person or Standard: Person or Entity Entity AuthenticationAuthentication

No Implementation No Implementation Specifications, but Specifications, but examples include:examples include:

Verifying that persons Verifying that persons or entities seeking or entities seeking access are the ones access are the ones claimedclaimed


► Standard: Standard: Transmission SecurityTransmission Security Implement technical Implement technical

security measures to security measures to guard against guard against unauthorized access unauthorized access transmitted over an transmitted over an electronic electronic communications communications networknetwork

► ADDRESSABLE ADDRESSABLE Implementation:Implementation:

Integrity ControlsIntegrity Controls

EncryptionEncryption

GET STARTEDGET STARTED

►SECURITY RISK ANALYSISSECURITY RISK ANALYSIS

Identify potential threats to the organizationIdentify potential threats to the organization Evaluate the likelihood that the threat will Evaluate the likelihood that the threat will

occuroccur Estimate the harm from such an occurrenceEstimate the harm from such an occurrence Determine whether planned or existing Determine whether planned or existing

controls exist to reduce or eliminate the riskcontrols exist to reduce or eliminate the risk

Contact InformationContact Information

Gail Edson HaltermanGail Edson Halterman

Lathrop & Gage L.C.Lathrop & Gage L.C.

2345 Grand Boulevard, Suite 24002345 Grand Boulevard, Suite 2400

Kansas City, Missouri 64108Kansas City, Missouri [email protected]

816.460.5404816.460.5404

816.292.2001 (fax)816.292.2001 (fax)

hipaa: where are we and where are we going?? a survey of the current hipaa landscape gail edson...

Documents

complaints complaints

enforcement regulations

enforcement violations

enforcement criminal

enforcement date

days of privacy

enforcer ocr

ocr form