Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright© 2010 WeComply, Inc. All rights reserved. 4/28/2015 HIPAA Privacy and Security.

Published byKrystal Halliday Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright© 2010 WeComply, Inc. All rights reserved. 4/28/2015 HIPAA Privacy and Security."— Presentation transcript:

1 Copyright© 2010 WeComply, Inc. All rights reserved. 4/28/2015 HIPAA Privacy and Security

2 Copyright© 2010 WeComply, Inc. All rights reserved. 4/28/2015 HIPAA Privacy and Security

3 Copyright© 2010 WeComply, Inc. All rights reserved. In the news…

4 Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/20104 What Is HIPAA? Among HIPAA's primary purposes are — Privacy and security of healthcare information Standardization of healthcare data Simplification of healthcare operations to help reduce costs Insurance portability for individuals who change jobs or become unemployed Preventing discrimination against applicants or businesses Preventing fraud through stiffer penalties and tighter controls We must also comply with more restrictive state laws regarding privacy and security of healthcare information

5 Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/20105 What Is HIPAA? Among HIPAA's primary purposes are — Privacy and security of healthcare information Standardization of healthcare data Simplification of healthcare operations to help reduce costs Insurance portability for individuals who change jobs or become unemployed Preventing discrimination against applicants or businesses Preventing fraud through stiffer penalties and tighter controls We must also comply with more restrictive state laws regarding privacy and security of healthcare information

6 Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/20106 What Is HIPAA? (Cont’d) Among HIPAA's primary purposes are — Privacy and security of healthcare information Standardization of healthcare data Simplification of healthcare operations to help reduce costs Insurance portability for individuals who change jobs or become unemployed Preventing discrimination against applicants or businesses Preventing fraud through stiffer penalties and tighter controls We must also comply with more restrictive state laws regarding privacy and security of healthcare information

7 Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/20107 Who Is Subject to HIPAA? Covered entities include hospitals, insurance companies, self-insured employers and small physician practices Three categories of covered entities: Healthcare plans Health providers Clearinghouses HIPAA applies to companies that offer healthcare and treatment to their employees on-site

8 Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/20108 Who Is Subject to HIPAA? (cont’d) Business associates are individuals and businesses that help covered entities carry out healthcare activities and functions Auditors, consultants, lawyers Claims-processing firms, pharmacy benefit managers Business associates are subject to HIPAA in two ways: They must provide written assurance that they will use information only for proper purposes, safeguard information from misuse, and help covered entity comply with HIPAA privacy duties They must comply directly with HIPAA regulations requiring administrative, physical and technical safeguards for security of protected information

9 Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/20109 Pop Quiz! What happens if a business associate of a covered entity violates HIPAA? A.The business associate will be subject to the same HIPAA penalties as the covered entity. B.The business associate will be liable to the covered entity only for breach of contract. C.Nothing – business associates aren't subject to HIPAA.

10 Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/201010 Protected Health Information (PHI) Protected health information includes any part of an individual's medical record or payment history PHI concerns — Any past, present or future physical or mental health of an individual Providing healthcare to an individual Payment for healthcare of an individual Any identifiable health information becomes PHI under HIPAA Privacy Rule covers PHI in all forms, while the Security Rule covers only electronic PHI

11 Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/201011 HIPAA Privacy A covered entity may use or disclose an individual's PHI only under these conditions: To communicate directly with the individual about his/her PHI With the individual's written authorization or other legal agreement Without the individual's authorization for treatment, payment and operations When using or disclosing PHI we must try to limit our use or disclosure as much as possible

12 Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/201012 HIPAA Privacy (Cont’d) A covered entity may use or disclose an individual's PHI only under these conditions: To communicate directly with the individual about his/her PHI With the individual's written authorization or other legal agreement Without the individual's authorization for treatment, payment and operations When using or disclosing PHI we must try to limit our use or disclosure as much as possible

13 Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/201013 Notice of Privacy Practices Covered entity must furnish Notice of Privacy Practices to individuals with whom it has direct treatment relationship At enrollment, within 60 days of material revision, and at least every three years To anyone who requests it On any website it maintains for customer-service or benefits information Covered entity must document compliance by retaining copies of issued notices Covered entity must make good-faith effort to obtain patient's written acknowledgment of receiving NPP

14 Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/201014 Notice of Privacy Practices (cont’d) Covered entity must furnish Notice of Privacy Practices to individuals with whom it has direct treatment relationship At enrollment, within 60 days of material revision, and at least every three years To anyone who requests it On any website it maintains for customer-service or benefits information Covered entity must document compliance by retaining copies of issued notices Covered entity must make good-faith effort to obtain patient's written acknowledgment of receiving NPP

15 Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/201015 Notice of Privacy Practices (cont’d) Covered entity must furnish Notice of Privacy Practices to individuals with whom it has direct treatment relationship At enrollment, within 60 days of material revision, and at least every three years To anyone who requests it On any website it maintains for customer-service or benefits information Covered entity must document compliance by retaining copies of issued notices Covered entity must make good-faith effort to obtain patient's written acknowledgment of receiving NPP

16 Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/201016 Reasonable Safeguards Covered entity must use reasonable safeguards to protect confidentiality of PHI Speaking softly when discussing PHI in public spaces Not using name of individual whose PHI is being discussed Reminding employees to keep PHI secure at workstations and in public spaces Isolating and locking filing cabinets containing PHI Equipping computers with password-protected screensavers

17 Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/201017 Using PHI for Marketing Covered entities may not disclose PHI for marketing purposes without patient's written authorization Covered entity does not need written authorization to communicate — To describe product or service provided by the covered entity For treatment purposes For case-management, care-coordination, or to recommend alternative therapies/providers For face-to-face communications For other communications that promote health in general manner

18 Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/201018 Pop Quiz! PHI may be disclosed without the patient's written authorization in which of the following situations? A.Sending marketing literature about healthcare-related products to the patient. B.Sending marketing literature about non-healthcare-related products to the patient. C.Recommending any products to the patient in a face-to-face conversation.

19 Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/201019 HIPAA Security Security Rule addresses creation, receipt, maintenance and transmission of electronic PHI by covered entities and their business associates Primary goals: To maintain confidentiality of stored and transmitted electronic PHI To protect electronic PHI from unauthorized creation, modification and deletion To ensure that electronic PHI is available to authorized individuals/entities when needed Requires administrative, physical and technical safeguards

20 Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/201020 Administrative Safeguards Administrative safeguards: Security Officer responsible for the development and implementation of security policies Workforce Security plan for granting employees varying levels of access to PHI Contingency Plan for responding to emergencies and natural disasters Business Associate Contracts to protect confidentiality of PHI exchanged Termination Procedures to prevent terminated employee from having access to confidential information

21 Copyright© 2010 WeComply, Inc. All rights reserved. In the news…

22 Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/201022 Physical Safeguards Physical safeguards: Facility Access Controls that allow only authorized access to places where PHI is kept Workstation Use procedures for PHI displayed on computer screens Workstation Security — secured rooms, curtains, partitions or user IDs/passwords for workstations on which PHI is processed Device and Media Controls for handling computer hardware and software, including proper disposal and storage

23 Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/201023 Technical Safeguards Technical safeguards: Access Controls limiting PHI access on need-to-know basis based on roles and context Audit Controls for recording and examining system activity to eliminate unnecessary access to PHI Person or Entity Authentication using passwords, PIN numbers, biometrics or tokens to ensure only authorized access to PHI Transmission Security to protect PHI during transmission over electronic networks, including encryption, firewalls, SSL/TLS protocol and S/MIME support

24 Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/201024 Pop Quiz! A pharmaceutical company set up a service to send regular e-mail messages to remind people to take their anti-depressant medication. Due to a programming error, each of the people who received an e-mail message could see the names and e-mail addresses of all of the others to whom reminder messages were sent. Does this present a HIPAA problem? A.Yes. B.Maybe, if the e-mail messages were not encrypted. C.No, because it was due to a programming error — not a breach of security.

25 Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/201025 Handling PHI Follow these guidelines when handling PHI: Access PHI only to extent necessary to perform job-related functions Obtain authorization whenever using PHI for marketing purposes Destroy PHI once it is no longer needed Take steps to verify proper receipt of transmitted PHI Secure work areas by keeping documents containing PHI in locked cabinet and maintaining strong passwords on electronic systems Take special precautions while working in field or at home to ensure PHI is secured in laptop computers and briefcases

26 Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/201026 Security Breach Secure PHI is information that is — Protected by a technology or methodology specified by HHS Rendered "unusable, unreadable, or indecipherable" to unauthorized persons Shredded/destroyed so that it cannot be read or reconstructed If there is a security breach involving unsecured PHI: Notice must be given to affected individuals If breach affects 500 or more individuals, notice must also be given Government and media Report security breach to your supervisor or Privacy Officer immediately

27 Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/201027 Security Breach (Cont’d) Secure PHI is information that is — Protected by a technology or methodology specified by HHS Rendered "unusable, unreadable, or indecipherable" to unauthorized persons Shredded/destroyed so that it cannot be read or reconstructed If there is a security breach involving unsecured PHI: Notice must be given to affected individuals If breach affects 500 or more individuals, notice must also be given Government and media Report security breach to your supervisor or Privacy Officer immediately

28 Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/201028 PHI Rights of Individuals Individuals have these rights over use and disclosure of their PHI: Covered entities must abide by individual's request not to divulge PHI if he/she is paying for full service cost Individuals are entitled to copies of records that covered entity keeps electronically Individuals have right to request that covered entity correct inaccurate PHI Covered entities maintaining electronic health records must provide accounting of all PHI disclosures during prior three years upon request Fundraisers must notify individuals of right to opt out of future fundraising solicitations

29 Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/201029 Enforcement Failure to comply with HIPAA can lead to significant penalties: Civil fines from $100 to $50,000 for each violation up to $1.5 million per year Criminal penalties for basic offense may include fine of up to $50,000 and/or imprisonment for up to one year Criminal penalties for offense committed with intent to use PHI for commercial advantage may include fine up to $250,000 and/or imprisonment for up to ten years

30 Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/201030 Enforcement (cont’d) Failure to comply with HIPAA can lead to significant penalties: Civil fines from $100 to $50,000 for each violation up to $1.5 million per year Criminal penalties for basic offense may include fine of up to $50,000 and/or imprisonment for up to one year Criminal penalties for offense committed with intent to use PHI for commercial advantage may include fine up to $250,000 and/or imprisonment for up to ten years

31 Copyright© 2010 WeComply, Inc. All rights reserved. 4/28/2015 Final Quiz

32 Copyright© 2010 WeComply, Inc. All rights reserved. 4/28/2015 Questions?

33 Copyright© 2010 WeComply, Inc. All rights reserved. 4/28/2015 Thank you for participating! This course and the related materials were developed by WeComply, Inc. and the Association of Corporate Counsel.

Download ppt "Copyright© 2010 WeComply, Inc. All rights reserved. 4/28/2015 HIPAA Privacy and Security."

Similar presentations

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
HIPAA Privacy Training Your Name Here. © 2004 MHM Resources Inc.2 HIPAA Background Health Insurance Portability and Accountability Act of 1996.

HIPAA Privacy Training Your Name Here. © 2004 MHM Resources Inc.2 HIPAA Background Health Insurance Portability and Accountability Act of 1996.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) 252-9321; Victoria Nemerson.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.

HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
HIPAA THE PRIVACY RULE Reviewed December 2012 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-

HIPAA THE PRIVACY RULE Reviewed December HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.

2014 HIPAA Refresher Omnibus Rule & HIPAA Security.

Similar presentations

Ads by Google