talcott hipaa seminar handoutsphi -no government plan, so responsibility falls back on the doctor...
TRANSCRIPT
8/9/17
1
SpecialPresentation:HIPAASurvival
Dr.TyTalcott,CHPSE(CERTIFIEDHIPAAPRIVACYANDSECURITYEXPERT)
• Foxworth Video
ALittleaboutme.
SkiLiftAcrobaticsWorstoftimesBestoftimes
8/9/17
2
Howdotheycatchpeople HeadofGeorgialegislativecommittee– HumanError
1– 2- 3 Paperprotection– practicesale
$289,000 $31,000– givingyourstufftoothers
8/9/17
3
$3.9million– Theft Cyber-security/Hacking
WhatisHIPAA—MandatoryPHI
WhatisOIG–Medicare
So,whyHIPAAoverlastfiveyearsandNowOIG?
Let’sstartwithHIPAAwhyisHIPAAsuchahugerisk,
allofasudden?Whenweallhadour
littlefiefdom….
8/9/17
4
Electronicmedicalrecords,Mobiledevicesandmultipleindividuals
accessingmedicalrecordsdestabilizedourabilitytoprotect
PHI- nogovernmentplan,soresponsibilityfallsbackonthe
doctorunderHIPAA.
ValueofstoleninformationSkyrockets:$5-$50- foridentitytheftinfo-asmuchas$500fullhealthfiles
Hugebreaches:Targetandpharmacies
AnthemInsurance=80millionbreachedBlueCrossPermaBlue=11,000,000breached
OCRgetsextra$4millionforrandomphysicianofficeaudits.
TheystartedroundtwoofthoseauditsinJuly2016.
[email protected] www.hipaacomplianceservices.com P:214.437.7559
8/9/17
5
ThatexplainshowwegottowherewearewithHIPAA,buthowdidwealsobecomethetarget
oftheOIG,combinedwiththecenterforMedicareservices,fordemandsbackoffundspaidtochiropractorspossiblytothetuneof
hundredsofmillionsofdollars?
Beenteachingthatthisdaywascomingsince2013.
Presentlyteachfor33statechiropracticassociationsandfourcollegesandaddedthistomyHIPAAprogramyearsago.
Medicarefundedtoinvestigatechiropractorsfortheyears2014and2015.
AttorneyGeneraldeclareshealthcarefraudtheDept.ofJustice’snumbertwoinitiativejustbehindviolentcrime!!
Federalgovernmenthasnowturnedattentiontoindividualandsmallgroup
physicianpractices.
Resultswerereleasedin2016.“54%ofchiropracticMedicareclaimswerepaidduetoerrororfraud”
8/9/17
6
OIGinstructsCMStotake“targetedactionsagainstChiropractorsto
stopthesepractices”
OIGgotimpatientandnowvirtuallyanychiropractor
couldbeatarget!
Theystated$466millionofpayoutreviewedanestimated$178millionpaidin
errorandshouldbeduebacktothegovernment.
AppearsatOIGsite:“AMICHIGANCHIROPRACTORReceivedunallowableMedicare
paymentsforchiropracticservices.”
Results:Manyotherchiropractorstargeted
Payback$339,625Theywillattempttorecoup
So,whatdowedoaboutit?
8/9/17
7
OIGcomplianceprogramisabouthavingasysteminplacetoassure
thatclinicsfilingtoafederalprogramdosoerror/fraudfree.
WhatdoesOIGprogramlooklike?
TheOIGsevenstepprocess:1. Writtenpolicies—codeofethics,
documentation,etc….2. Complianceofficer3. Training4. Effectivecommunication5. Auditing6. Enforcement7. Detectingoffenses
So,let’sgobacktoHIPAA!!
OverviewofwhataHIPAARegulatoryComplianceManualLooksLike
[ClinicName]
Index1. AuditSchedulefor20162.ComplianceOfficerJobDescriptionNotificationofOfficerAppointment/PostingPolicyandProcedureFilingacomplaint3.NoticeofPatientPrivacyPolicy- 2013OmnibusRules,Increasedenforcementandfines
4.FormsConsenttousePHIRestrictedConsentPatientAuthorizationRevocationofAuthorizationApproveRequesttoCopyDenyRequesttoCopy
8/9/17
8
5.RequiredAccountingLog– perpatient6.CorrectiveActionForms7.EmployeeConfidentialityStatements8.BusinessAssociateConfidentialityContracts -2013OmnibusRules,Increasedenforcementandfines9.AnnualrequiredStaffIn-servicetraining- privacyandsecurityrules.10.PhysicalPlantAudit11.RiskAnalysis12.ISAR13.RequiredAnnual A-ZHIPAAprogramAudit/Evaluation
14.BONUSAuditsClaimDenialReviewMedicareABNComplianceClinicalFileReview
15.PoliciesandProceduresforSecurityRules16.RequiredContingencyplanwithdatarecoveryandemergencymodeoperations17.Requiredequipmentmaintenancelog18.Modelreleasefortestimonialuse
• PRIVACYOFFICER/COMPLIANCEOFFICER• PRODUCTIONOFDOCUMENTSANDDATA• RETENTIONOFDOCUMENTSANDDATA• SANCTIONPOLICY• CONFIDENTIALITYAGREEMENTSANDB.A.
CONTRACTS• SCOPEOFPROTECTIONUNDERTHE
SECURITYRULES• APPLICABLESTATUTES/REGULATIONS• TEAMMEMBER/WORKFORCEPOLICIES• PROHIBITEDACTIVITIES• SECURITYMANAGEMENTPROCESS- RISK
ANALYSIS• EMERGENCYOPERATIONSPROCEDURE• EMERGENCYACCESS• BUILDINGSECURITY• ELECTRONICCOMMUNICATION• INTERNETACCESS• REPORTINGSOFTWAREMALFUNCTIONS• TRANSFEROFFILESBETWEENHOMEAND
WORKOREMPLOYEETOEMPLOYEE• INTERNETCONSIDERATIONS• DE-IDENTIFICATION/RE-IDENTIFICATIONOF
PERSONALHEALTHINFORMATION(PHI)
• USERLOGONANDIDS• ACCESSCONTROL• DIAL-INCONNECTIONS• MALICIOUSCODE• ENCRYPTION• TELECOMMUTING• SPECIFICPROTOCOLSANDDEVICES• RETENTION/DESTRUCTIONOFMEDICAL
INFORMATION• DISPOSALOFEXTERNALMEDIA/HARDWARE• MANAGINGCHANGE• AUDITCONTROLS• BREACHNOTIFICATIONPROCEDURES• CONFIDENTIALITY/SECURITYTEAM(CST)• CONTINGENCYPLAN• SECURITYAWARENESSANDTRAINING• EMPLOYEEBACKGROUNDCHECKS
Policies&Procedures
SpecialOffer• RetailPriceof$549.00• DiscountedSeminarPriceof$397.00
SPECIALPRE-PUBLICATIONOFFER;OIGComplianceProgramFREEwithpurchase
ofanyHIPAAproduct,fromthisseminar($399RetailValue)
Call214-437-7559orEmail:[email protected] /
• Break
8/9/17
9
Patient Name: Identification Number:
Advance Beneficiary Notice of Noncoverage (ABN) NOTE: If Medicare doesn’t pay for services below, you may have to pay.
Medicare does not pay for everything, even some care that you or your health care provider have good reason to think you need. We expect Medicare may not pay for the service below.
Services Reason Medicare May Not Pay: Estimated Cost
WHAT YOU NEED TO DO NOW: • Read this notice, so you can make an informed decision about your care. • Ask us any questions that you may have after you finish reading. • Choose an option below about whether to receive the service listed above.
Note: If you choose Option 1 or 2, we may help you to use any other insurance that you might have, but Medicare cannot require us to do this.
OPTIONS: Check only one box. We cannot choose a box for you. □ OPTION 1. I want the service listed above. You may ask to be paid now, but I also want Medicare billed for an official decision on payment, which is sent to me on a Medicare Summary Notice (MSN). I understand that if Medicare doesn’t pay, I am responsible for payment, but I can appeal to Medicare by following the directions on the MSN. If Medicare does pay, you will refund any payments I made to you, less co-pays or deductibles. □ OPTION 2. I want the service listed above, but do not bill Medicare. You may ask to be paid now as I am responsible for payment. I cannot appeal if Medicare is not billed. □ OPTION 3. I don’t want the service listed above. I understand with this choice I am not responsible for payment, and I cannot appeal to see if Medicare would pay.
Additional Information: This notice gives our opinion, not an official Medicare decision. If you have other questions on this notice or Medicare billing, call 1-800-MEDICARE (1-800-633-4227/TTY: 1-877-486-2048). Signing below means that you have received and understand this notice. You also receive a copy.
Signature: Date:
CMS does not discriminate in its programs and activities. To request this publication in an alternative format, please call: 1-800-MEDICARE or email: [email protected].
According to the Paperwork Reduction Act of 1995, no persons are required to respond to a collection of information unless it displays a valid OMB control number. The valid OMB control number for this information collection is 0938-0566. The time required to complete this information collection is estimated to average 7 minutes per response, including the time to review instructions, search existing data resources, gather the data needed, and complete and review the information collection. If you have comments concerning the accuracy of the time estimate or suggestions for improving this form, please write to: CMS, 7500 Security Boulevard, Attn: PRA Reports Clearance Officer, Baltimore, Maryland 21244-1850.
Form CMS-R-131 (Exp. 03/2020) Form Approved OMB No. 0938-0566
• Goodplacetopauseandtalkaboutcompliantfeeschedulesforasecond.
• Whentheylook,theylook…• Theylookatforms,postings,whatyouhavepeoplesignandwhetherthatinfo.isprotected.
• Dualfeesystems• Pointofservice• NowcanNOTreporttoins.ifpatientdictates,whichcancausemorescrutiny.
How About You?…Do You Worry?• Dual fee schedule?• Cash discounts? • OIG inducement violations • Is your financial policy legal &
compliant at all levels?
If you don’t worry, YOU SHOULD!Better yet. Know the Rules!
51
ToreceiveaSample1PageFinancialPolicyfromDr.Foxworth,Text DRT to (601)227-7720.Thisisagreattoolthatyoucancustomizeinyourofficeandasteptowardbecomingmorecompliant!
Whichchiropractorsareatriskiftheydonotprovidetranslationservicesfor15top,non-Englishlanguagesfortheirpatients
tosatisfythenewlawenactedOctober16ofthisyear?
BestFriend
8/9/17
10
• PrivacyPostingisnowcalledthe“NoticeofPatientPrivacyPolicy”
• ThePolicymustincludethatyouneedspecialreleasesfor:
• disclosuresofpsychotherapynotes• disclosuresofProtectedHealthInformationformarketingpurposes;and
• disclosuresthatconstituteasale ofProtectedHealthInformation;aswellasastatementthatotherusesanddisclosuresnotdescribedintheNoticeofPrivacyPracticeswillbemadeonlywithauthorizationfromtheindividual.
PrivacyPostingChanges • Thatanindividualhasarighttooptoutoffundraisingcommunications(i.e.iftheCoveredEntityintendstocontacttheindividualregardingfundraising).
• TherightofanaffectedindividualtobenotifiedfollowingabreachofunsecuredProtectedHealthInformation.
• Howpatientscanfileacomplaint.ThiscanbeeitheronyourComplianceOfficerPostingorinyourPrivacyPolicy.
• TherighttorestrictcertaindisclosuresofProtectedHealthInformationtoahealthplanwheretheindividualpaysoutofpocketinfullforthehealthcareitemorservice.
• TheseinclusionsinyourNoticeofPP P areagreatwaytotrainpartofyourrequiredin-service.
• BasedontheSeptember2013changesinthe“NoticeofPatientPrivacyPolicy”therearecertainthingsyoumustdo:
• (1)includeinyour‘ConsenttousePHI’astatementacknowledgingthepatienthasreceivedacopyofthenew‘NoticeofPatientPrivacyPolicy’anddistributeacopyofthepolicytoallNEWpatientsatthetimetheConsenttousePHIissigned,therebyactingasasignedreceipt.
• (2)provideacopytopatientsuponrequest.• (3)post,byhavingreadilyavailable,thenew
“NoticeofPatientPrivacyPolicy”orpostasummaryofthechanges,andhaveafullcopyreadilyavailable.
RiskAnalysis
• RiskAnalysis• Dateperformed_________Participants______________________
• InventoryofAssetsthatcontainPHI,includingkeystaff,businessassociates,etc.:– LapTopComputer– On-siteserver– __________,etc.
8/9/17
11
Itemfrominventorylist:LapTopcomputer• Threatsandvulnerabilities:1.Viruses2.Lackofadequatepoliciesandproceduresforwhousescomputer- forwhatpurposes3.Unknownlocationovernight4.Noprotocolstopreventunauthorizedinternetaccess5.Atriskfortheftwhilebeingtransported6.Dataatrestnotencrypted7._________________etc.
• Presentcontrolsinplace:4.Thereisapolicyinplacetolimitunauthorizedutilizationoftheinternet5.Whentransportedinthecarthecomputeristoalwaysbelockedinthetrunkifleftinthecar
• Gapanalysis- Stillneeded:1.AntiVirus2.AdequatePoliciesandProceduresneedtobedevelopedandtrainedtostaff3.Systemfor‘checkingout’thecomputer,iftakenoffpremises,toknowwhohasitandwhenitistobereturned
6.Non-encrypteddata
• Potentialsolutions:1.Installanti-virus,buynew2.Installanti-virusas‘additionalcomputer’onanexistingplan3.Downloadanti-virusfromtheinternet.4.ConsiderMcAfee,Norton,AVG,Sophos5.Policiescouldbewrittenfromscratchoneachindividualareaneeded.6.ExistingPoliciescouldbeexpandedtocoverareasofconcern.
7.A‘checkoutsystem’couldbesetupsimilartoalibrarycard8.Oneindividualcouldbeputinchargeof‘loaningout’equipmentandkeepingalogofwhohaswhat,where,etc.9.Couldrequirethelaptopneverleavetheoffice.10.CheckwithITprofessionalforencryptionsolutions11.___________,etc.
8/9/17
12
• Mitigationofrisk:1.DownloadandinstallNortonanti-virus2.Expandexistingpoliciestocoverareasofconcernrelatingtowhoisauthorizedtousetheequipmentandcheckitout3.Officemanagerwillbeinchargeof‘releasing’thelaptopforovernightonlyuse.
6.Officemanagerwilloverseeimplementationofencryptionfordataatrest
• Whoisgoingtofollowup:• Officemanagerwill assurethatallcomponentsofthemitigationprocessareinplaceandfunctioningby ___________ ,recordthedateofimplementationontheriskanalysisformandcreateareportdetailingthenewfunctiontobeplacedinthehandsofseniormanagementby_______(date).
• Thenewwrinkle=InformationSystemsActivityReview
• Addedrequest,inadditiontoriskanalysis,startedJanuary2015asanewcomponentofmeaningfuluseattestationaudits.
Information*Systems*Activity*Review*Log****************************************************************HIPAA*Compliance*Services*!!!!!!!*
*©!! !
ASSET!*
Ex:*Laptop**
____________________________*
Ex:*iPad**
____________________________*
Ex:*Desktop*Station*#1**
____________________________*
Ex:*Server**
____________________________*
Ex:*iPhone**
____________________________*
*
___________________*
*
__________________*!!
Passwords!STAFF*
TRAINED**
*
*
YES:*_________*
Date:*________**
*Updated/Changed:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Updated/Changed:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Updated/Changed:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Updated/Changed:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Updated/Changed:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Updated/Changed:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Updated/Changed:*
DATE:*________________*
DATE:*________________*
!Audit!Logs!STAFF*
TRAINED**
*
*
YES:*_________*
Date:*________**
*Logs*Reviewed:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Logs*Reviewed:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Logs*Reviewed:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Logs*Reviewed:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Logs*Reviewed:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Logs*Reviewed:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Logs*Reviewed:*
DATE:*________________*
DATE:*________________*!!
Encryption!STAFF*
TRAINED**
*
*
YES:*_________*
Date:*________**
*Secure/Updated:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Secure/Updated:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Secure/Updated:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Secure/Updated:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Secure/Updated:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Secure/Updated:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Secure/Updated:*
DATE:*________________*
DATE:*________________*
Anti6Virus!!Firewalls!STAFF*
TRAINED**
*
YES:*_________*
Date:*________**
*Patches*Current:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Patches*Current:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Patches*Current:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Patches*Current:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Patches*Current:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Patches*Current:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Patches*Current:*
DATE:*________________*
DATE:*________________*
*
Back6Up!STAFF*
TRAINED**
*
*
YES:*_________*
Date:*________**
*Viewed:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Viewed:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Viewed:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Viewed:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Viewed:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Viewed:*
DATE:*________________*
DATE:*________________*
YES:*_________*
Date:*________**
*Viewed:*
DATE:*________________*
DATE:*________________*Reviewed!by!Signature:*______________________________________________________________*Date:*_____________________*Review*Findings:*(i.e.*No*suspicious*activity,*all*updates*complete)*________________________________________________________________________________________________________________________________________________________________*__________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________*OTHER:*________________________________________________________________________________________________________________________________________________________________________________________________________________________________________*
Reviewed!by!Signature:*______________________________________________________________*Date:*_____________________*Review*Findings:*(i.e.*No*suspicious*activity,*all*updates*complete)*________________________________________________________________________________________________________________________________________________________________*__________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________*OTHER:*________________________________________________________________________________________________________________________________________________________________________________________________________________________________________*
Reviewed!by!Signature:*______________________________________________________________*Date:*_____________________*Review*Findings:*(i.e.*No*suspicious*activity,*all*updates*complete)*________________________________________________________________________________________________________________________________________________________________*__________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________*OTHER:*________________________________________________________________________________________________________________________________________________________________________________________________________________________________________*
8/9/17
13
• EquipmentMaintenance: Equipmentismaintainedbyin-houseITstaff_____________(nameofperson/persons).Anyoutsideworkneededismonitoredbysuchpersonaswhodidwhatatwhattimeandisrecordedontheriskanalysisformforeasyreviewandupdate- aswell-statusofperiodictestingforproperfunctionofmaintainedequipmentifrecorded.
• DataRecovery:Intheeventoflossofaccesstodata,foranyreason,restorationcantakeplaceviaCarbonite cloudbackup.Seniormanagementisinpossessionoftheprocessforrestoration.
• EmergencyModeFunction: Thispieceofequipmentisnotcriticalforbasicfunctionsintheeventofadisastersuchasflood,earthquake,tornado,etc.thatmayinterruptordestroyfunction.Otherofficeequipmentcanaccessneededdataandperformfunctionality.
SpecialOffer• RetailPriceof$549.00• DiscountedSeminarPriceof$397.00
SPECIALPRE-PUBLICATIONOFFER;OIGComplianceProgramFREEwithpurchase
ofanyHIPAAproduct,fromthisseminar($399RetailValue)
Call214-437-7559orEmail:[email protected] /
Themostexpensivebutbestwaytogoforthelargerpracticethatknowsitcostmoremoneytotaketheirandstafftimeawayfromthepracticethanitcostsfortheprogram!Dependingonhowmanydoctors,locationsetc.thisprogramisusuallysomewherearound$5000plusexpenses.(Brokeninto3payments!)
ThisisaverypopularAFFORDABLEmidrangeserviceweprovideforauthoringyourHIPAAcompliancemanualforyou;riskanalysis,ISAR,around100pagesofpolicies,customizeddocumentsandforms,andmuchmorerequiredbythegovernment. Thecostisthreepaymentsof$599each.IfyouhavealreadypurchasedtheSurvivalKit,youwillreceiveanimmediate$300creditthatwillapplytowardthepurchaseoftheSilverlevel!
• Break
8/9/17
14
• Youmusthavepolicies/proceduresrelativetodisposalofPHIrecordsandallstaffagreetoabidebythem.Needtodocumentanaudittrailtoprovepoliciesfollowedtocompletedestructionbyoutsourcingtoaservice,physicallydestroyingoruseofasoftwaretosanitize(notrecommendedforUSB/flashmediaduetosectorsparing).
• Payspecialattentiontodisposalofproblemdeviceslikeprinters,faxmachinesthatstoreinformation,flashdrives,etc.NIST,atgovernmentsite,isagoodresourceforproperdisposal.
• Physicalaccesscontrol**Policiesmustbeinplaceandagreedtobystaff,prescribingthephysicalsafetyandsecurityofdevices.Alldevicesmustbeinventoriedandaccountedfor.Allcomputersareprotectedfromenvironmentalhazards.Physicalaccesstosecuredareasislimitedtoauthorizedpersons.
• IhavewrittenaP&Ptocoverphysicalsafetyandsecurityofdevicesandhaveaplantoenforcesame.
__YES__NO
• Securingelectronictransmissionsandnetworkutilization**Itisrequiredtohaveintegritycontrolsandencryptioninplace.Policiesneedtobeinplaceprescribingnetworkconfigurationandwhohasaccessandallstaffagreetoabidebythem.
• Accessisrestrictedtoauthorizedusersanddevices.GuestdevicesmaynotcontainPHI,nopeer- topeerapplications.Nopublicinstantmessagingandprivateinstantmessaging-onlyifsecured.
• BackupandSecuringEncryptionmethodsforoffsiteelectronicmedia,backuptapes,dataatrest,textmessaging,etc.
**Backup…policiesandproceduresforbackupandrecoveryareinplaceandagreedtobystaff,allstaffunderstandtheirdutiesduringrecovery.Theentiresystemrestoreprocessisknowntoatleastonepersonoutsidethepractice.
8/9/17
15
• Acopyofrecoveryplanissafelystoredoffsite,filesthatarecriticalaredocumentedandlistedinthebackupconfiguration.Thereisatimelyandregularbackupscheduleandeveryrunistestedforitsabilitytorestoredataaccurately.Backupmediaaresecuredorencrypted- ifoffsite.Backupsareunreadablepriortodisposal.Multiplebackupsaremaintained
**Accesscontrolpoliciesmustbeinplaceandallstaffagreetoabideby(documentthis).Whattodoatterminationofemployee,everyuseraccountmustbedocumentedtobetiedtoacurrentlyauthorizedindividual,minimumnecessarystatesanindividualmayonlyaccesswhatisneededtoperformtheirwork,allfilesmustbesettoallowonlyauthorizedindividualstouse.Computersrunninghealthcaredataarenotallowedforotheruses.
• Awarenesstrainingrelativetotheseandallotherissuesisrequired(annualandongoing).
• Determiningwhichauditlogstoactivate
• Onlytheauditlogsyouwillactuallyuseandmonitorareappropriatetobeactivated.Choosingwhichauditstohaveopenisbasedonriskandsensitivityofdata.
• Auditingyouruseoflogins/trails
• Trackingmustcontain,attheleast,personalID,date,time,reasonaccessing(view,change,delete)andshowallattempts- successfulandunsuccessful.
• Yourloginsshouldtimeout/lockoutafterthreeattempts.ThereshouldbewrittenreportsinyourHIPAAmanualrelativetosummaryoflogsandsanctionsinplaceforviolations.
• PhysicalPlant“WalkThrough”Audit• Office:________________ Date:______________
• Areaofreview• Compliant- Y/N• Comments• Patientchartslocatedinsecurearea.
Y/N• Namesonchartsprotected.
Y/N
8/9/17
16
• Informationatfrontdeskprotected.Y/N
• Insurance/Collectioncallsnotabletobeheardfrompatientarea.
Y/N• Computerscreenswithrapidtimeout/passwordprotected.
Y/N
• Signinsheetdoesnotcontainhealthinformation.
Y/N• Phonemessageskeptinprotectedarea.
Y/N• Chartsnotleftinunprotectedareasofofficewithidentifiableinformationvisible.
Y/N
• Chartsnotleftinexamortreatmentareasafterpatienttreatment.
Y/N• X-rays/otherdiagnostictoolsremovedafterpatienttreatmentfromexamination/treatmentarea.
Y/N• Patientinformationandtreatmentnotdiscussedincommonareas.
Y/N
• Recognitionboards/picturesetc.donotincludeidentifiableinformation.
Y/N• Privacyprovidedasneededbasedontreatmentprovided.
Y/N• PatientRightsaccessibleuponrequest.Staffknowledgeableaboutlocation.
Y/N
• Blackoutscreens• ComputerPasswords• Rapidtimeoutscreensavers• RelocationofComputers• Relocationofstaffmember• NewSignInsheet
CriticalpointstakenfromtheHIPAACONFERENCEhostedbyOCR,CMSandNISTin
WashingtonDC
8/9/17
17
Enforcementsofarbasedoncomplaintsandpilotaudits.
Nowrampingtoenforcementprogram.
IfasktovolunteerIrecommendyoudoNOT.
Thereisnoimmunityandprosecutionis“neveroffthetable”.
Theygothroughtheprocessofhowmanyrulesbrokentodeterminefine
level.
HHSwillbenotifyingselectentitiesthattheyaresubjecttoanaudit.
Respondasinstructedoradeskauditwillturnintoanonsiteaudit.
TheywillberequestingalistofyourB.A.
8/9/17
18
Findingsoftheseauditswillturnintoacomplianceinvestigationand
enforcement.RequiredIn-Service
• HerearesomekeypointsforyourrequiredIn-Service.
–HistoryofHIPAA–BenefitsofComplianceWithThePrivacyLaws
–Whydoweneedtobecompliant?– ThePrivacyRule:WhoIsAffected
• OurCompliance/PrivacyOfficeris:_____________________________
• OurPrivacyRulescanbereviewedbypatients,thepolicyislocated__________.
• Norecordsarefaxed,ormailedfromtheofficeunlesstheCompliance/PrivacyOfficerisnotifiedsothatproperconsentsandprocedurescanbefollowed.
• Allpatientinformationisconsideredprivate,thereforestaffisexpectedto:
• Makesureallrecordsarekeptconfidentialandoutofsight.
• Patientsarenotdiscussedoutsidetheoffice• Phoneconversationsarekeptprivateandnotheldwhereotherpatientscanhearsensitiveinformation.
Thisofficewilldestroyrecordsinthefollowingmanner:
1. Burnor2. Shred3.Outsidecompany
Documentationwillbekeptofallrecordsdestroyedandthemannerofdestruction.
Thisofficewillsecurerecordsinthefollowingmanner:
1.2.
DisciplinaryStandards&Enforcement
8/9/17
19
Confidentialinformationincludes:· Anycommunicationbetweenapatientandthedoctor.· Anycommunicationbetweenapatientandotherclinical
personsregarding:• Allclinicaldata,i.e.,diagnosis,treatment;
Patienttransfertoafacilityfortreatmentofdrugabuse,alcoholism,mental/psychiatricproblem;
ReleaseofPatientInformation
• Medicalinformationregardingapatientshallnotbereleasedoverthetelephoneexceptwhenrequiredforimmediatepatientcare.
TelephoneRequestsforReleaseofConfidentialPatientInformation
• Authorizationforreleaseofmedicalinformationwillbeacceptedthroughafaxmachine(hardcopyispreferred).Informationwillbefaxedtophysicians'officesonly and only inemergencycasesand/orwhenthepatientisintheoffice.
FaxRequestsforReleaseofConfidentialPatientInformation
SpecialOffer• RetailPriceof$549.00• DiscountedSeminarPriceof$397.00
SPECIALPRE-PUBLICATIONOFFER;OIGComplianceProgramFREEwithpurchase
ofanyHIPAAproduct,fromthisseminar($399RetailValue)
Call214-437-7559orEmail:[email protected] /
Themostexpensivebutbestwaytogoforthelargerpracticethatknowsitcostmoremoneytotaketheirandstafftimeawayfromthepracticethanitcostsfortheprogram!Dependingonhowmanydoctors,locationsetc.thisprogramisusuallysomewherearound$5000plusexpenses.(Brokeninto3payments!)
ThisisaverypopularAFFORDABLEmidrangeserviceweprovideforauthoringyourHIPAAcompliancemanualforyou;riskanalysis,ISAR,around100pagesofpolicies,customizeddocumentsandforms,andmuchmorerequiredbythegovernment. Thecostisthreepaymentsof$599each.IfyouhavealreadypurchasedtheSurvivalKit,youwillreceiveanimmediate$300creditthatwillapplytowardthepurchaseoftheSilverlevel!
8/9/17
20
• Break• PrivacyPostingisnowcalledthe“NoticeofPatientPrivacyPolicy”
• ThePolicymustincludethatyouneedspecialreleasesfor:
• disclosuresofpsychotherapynotes• disclosuresofProtectedHealthInformationformarketingpurposes;and
• disclosuresthatconstituteasale ofProtectedHealthInformation;aswellasastatementthatotherusesanddisclosuresnotdescribedintheNoticeofPrivacyPracticeswillbemadeonlywithauthorizationfromtheindividual.
PrivacyPostingChanges
• Thatanindividualhasarighttooptoutoffundraisingcommunications(i.e.iftheCoveredEntityintendstocontacttheindividualregardingfundraising).
• TherightofanaffectedindividualtobenotifiedfollowingabreachofunsecuredProtectedHealthInformation.
• Howpatientscanfileacomplaint.ThiscanbeeitheronyourComplianceOfficerPostingorinyourPrivacyPolicy.
– BusinessAssociateisdirectlyliableundertheHIPAAPrivacyRuleforusesanddisclosuresofProtectedHealthInformationthatarenotinaccordancewithitsBusinessAssociateagreementortheHIPAAPrivacyRuleitself.
– BusinessAssociatesremaincontractuallyliableforallotherHIPAARuleobligations,thissubjectsthemtothesamepossiblefinesandpenalties.
– (BusinessAssociatesareanyentitythathasaccesstoyourelectronicrecords,youtransmitrecordstoorthatstorerecordsforyou.)
BusinessAssociateContracts
Whichchiropractorsareatriskiftheydonotprovidetranslationservicesfor15top,non-Englishlanguagesfortheirpatients
tosatisfythenewlawenactedOctober16ofthisyear?
8/9/17
21
But,whoreallyhastofollowtheserulesandhowcanyougoaboutsatisfying
theseregulations?
1.AchiropractorisExemptiftheydonottreatanyindividualsthat areeligibleforMedicare,Medicaid orhavereceivedanyothergovernment funds(Meaningfuluseattestation,grants,etc...)fromanyotherfederalprogram.
2.AchiropractorisexemptiftheyonlytreatMedicarepartBpatients andnoothertypeofpatienteligibleforafederallyfundedprogram.
3.AchiropractorisNOTexemptandmustfollowtherules, iftheytreat,contractorhaveanyrelationshipwithanyMedicare partC(advantageand/orreplacementplans)orMedicaidpatients,EVENIFTHEYalsoparticipateinMedicarepartB!
So,iftheymustfollowtherules-whatdotheyhavetodo?
A.Youmustpostnotices(taglines)topatientsandtheirfamilies statingthattranslationservicesareavailableinthetop15requiredlanguagesforyourstate.(FamilymembersmayNOTsubstitutefor translators,thetranslatorsmustbe"qualified").
8/9/17
22
Thesetaglinesmustalsobeincludedinlargerandmorestandardpublications.Forsmallerpublications(forexample,postcards),thetoptwolanguagesforeachstatemustbeused.Afulllistofthetop15languagesforeachstatecanbefoundat:HHSTop15LanguagesbyState.
B.Writtentranslationsmustbeavailablefor:websites(itappearsthatforphysicianstheentirewebsitedoesnothavetobetranslatedandonlythetaglines/shortnoticesmustbepublishedatthewebsite)andcriticalwrittenmaterialsthatwillbegiventopatientssuchas,dischargenotifications,medicationinstructions,treatmentplans,insurancebenefitsetc.
C.Physiciansmustpostanondiscriminationnotice thatcoversseveralkeyfactors.HHShasa“sample”non-discriminationnotice,at:http://www.hhs.gov/sites/default/files/sample-ce-notice-english.pdfandHHShasprovidedseverallanguagesamplesfortaglines.
Translatorsinalloftheselanguagesavailable?Obviouslyacliniccannotaffordtohiretranslatorsetc.---Googlesearch'languageinterpretersforaffordablecareact'.
Thehealthcareworldofregulationwillcontinueto heightenasweareembroiledin
issuesregardingCybersecurity,Medicarefraudandhealthcare
reform.
BestFriend
8/9/17
23
A. Notifier: B. Patient Name: C. Identification Number:
Advance Beneficiary Notice of Noncoverage (ABN)
NOTE: If Medicare doesn’t pay for D. below, you may have to pay. Medicare does not pay for everything, even some care that you or your health care provider have good reason to think you need. We expect Medicare may not pay for the D. below.
D. E. Reason Medicare May Not Pay: F. Estimated Cost
WHAT YOU NEED TO DO NOW: • Read this notice, so you can make an informed decision about your care. • Ask us any questions that you may have after you finish reading. • Choose an option below about whether to receive the D. listed above.
Note: If you choose Option 1 or 2, we may help you to use any other insurance that you might have, but Medicare cannot require us to do this.
G. OPTIONS: Check only one box. We cannot choose a box for you.
☐ OPTION 1. I want the D. listed above. You may ask to be paid now, but I also want Medicare billed for an official decision on payment, which is sent to me on a Medicare Summary Notice (MSN). I understand that if Medicare doesn’t pay, I am responsible for payment, but I can appeal to Medicare by following the directions on the MSN. If Medicare does pay, you will refund any payments I made to you, less co-pays or deductibles. ☐ OPTION 2. I want the D. listed above, but do not bill Medicare. You may ask to be paid now as I am responsible for payment. I cannot appeal if Medicare is not billed. ☐ OPTION 3. I don’t want the D. listed above. I understand with this choice I am not responsible for payment, and I cannot appeal to see if Medicare would pay.
H. Additional Information:
This notice gives our opinion, not an official Medicare decision. If you have other questions on this notice or Medicare billing, call 1-800-MEDICARE (1-800-633-4227/TTY: 1-877-486-2048). Signing below means that you have received and understand this notice. You also receive a copy.
I. Signature: J. Date:
According to the Paperwork Reduction Act of 1995, no persons are required to respond to a collection of information unless it displays a valid OMB control number. The valid OMB control number for this information collection is 0938-0566. The time required to complete this information collection is estimated to average 7 minutes per response, including the time to review instructions, search existing data resources, gather the data needed, and complete and review the information collection. If you have comments concerning the accuracy of the time estimate or suggestions for improving this form, please write to: CMS, 7500 Security Boulevard, Attn: PRA Reports Clearance Officer, Baltimore, Maryland 21244-1850.
Form CMS-R-131 (03/11) Form Approved OMB No. 0938-0566
SpecialOffer• RetailPriceof$549.00• DiscountedSeminarPriceof$397.00
SPECIALPRE-PUBLICATIONOFFER;OIGComplianceProgramFREEwithpurchase
ofanyHIPAAproduct,fromthisseminar($399RetailValue)
Call214-437-7559orEmail:[email protected] /
Themostexpensivebutbestwaytogoforthelargerpracticethatknowsitcostmoremoneytotaketheirandstafftimeawayfromthepracticethanitcostsfortheprogram!Dependingonhowmanydoctors,locationsetc.thisprogramisusuallysomewherearound$5000plusexpenses.(Brokeninto3payments!)
ThisisaverypopularAFFORDABLEmidrangeserviceweprovideforauthoringyourHIPAAcompliancemanualforyou;riskanalysis,ISAR,around100pagesofpolicies,customizeddocumentsandforms,andmuchmorerequiredbythegovernment. Thecostisthreepaymentsof$599each.IfyouhavealreadypurchasedtheSurvivalKit,youwillreceiveanimmediate$300creditthatwillapplytowardthepurchaseoftheSilverlevel!