Presentation is loading. Please wait.

Presentation is loading. Please wait.

Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.

Similar presentations

Presentation on theme: "Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC."— Presentation transcript:

1 Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC

2 What is the rule? State vs. Federal laws – How does that work? What goes in the Notice of Privacy Practices? What tools are available to help?

3 idx?SID=f97320836308edcaaff61071d30ec1ba&tpl=/ecfr browse/Title45/45cfr164_main_02.tpl idx?SID=f97320836308edcaaff61071d30ec1ba&tpl=/ecfr browse/Title45/45cfr164_main_02.tpl

4 e22sec1711-C.html

5 Health Information Technology for Economic and Clinical Health (HITECH) - 2009 Omnibus Rule - 2013 Case Law

6 MeHIMA Legal Resource Manual AHIMA (members) Engage/ Communities of Practice Body of Knowledge HHS – OCR General Information FAQs

7 /coveredentities/index.html /coveredentities/index.html

8 Gap analysis Define current state Determine goal Develop a plan to meet your goals Update and Reevaulate

9 Fully compliant Compliant, but just need to update for HITECH Partially compliant, but have a plan Partially compliant, and don’t know where to go Not sure? What is HITECH?

10 Read the rule Know the sections Don’t memorize but be familiar with the language Know your internal rule How to use your risk assessment(s)? Applicable P&P What to do if …

11 udit/protocol.html udit/protocol.html “Please be aware that the protocol has not yet been updated to reflect the Omnibus Final Rule but a version reflecting the modifications will be available in the future.” website– regarding audit tool The rule has been updated to include 78 FR 5695, January 25, 2013 (the Omnibus Final Rule)

12 If you wait until you are audited its too late … Create documents that comply with each performance criteria Risk Analysis Create practical P&Ps (cite the rule in the policy e.g. 45 CFR §…) Create a table of contents or summary log Publish internally Train your workforce and other applicable people Give people access to the tools as necessary


14 Section Established performance criteria Key activity Audit Procedures What questions auditors are likely to ask? Implementation Specification Required vs. Addressable (need documentation and support) HIPAA compliance area Breach, security, or privacy

15 Conduct Risk Assessment (Security and Privacy) Audit only looks to security IT Systems and Services security - capability Purchase equipment Certified eMR P&P (monitor activity) Reduce Risks (identified in risk assessment) Risk Management

16 Assign Security Responsibility Select a security officer Define and document duties Workforce security Establish access and supervision Role based security Limit access to need to know Clearance process Access termination process Information Access P&P related to access When, who, how long, etc. Consistent with the rules

17 Train (everyone) Plan and strategy When Who What (log-in, password management, organizational tools, etc.) Document

18 Response plan Identify Investigate Correct Mitigate Contingency Plan Disaster Recovery Data Backup Emergency Operations Plan Test and Revise

19 Maybe internal or external Look at entire system (document method) Document Make changes as necessary Rinse and Repeat

20 Assess Create/Document/Develop/Approve Implement Monitor Respond

21 HITECH requires BAs to be bound by HIPAA – CEs still need BAAs BAA Updated to reflect Jan. 25, 2013 overedentities/contractprov.html overedentities/contractprov.html

22 Protect the place where the information is kept Card access, etc. HR and safety issues can also be addressed here Address emergencies, maintenance, housekeeping, etc. Identify Workstations Access Surroundings Proper purpose and use

23 Disposal of PHI including ePHI Assign accountability Backup, storage, disposal, everything related to media devices Mobile and remote access devices

24 Assess need and capabilities (patients have a right to get information in electronic form) Encryption Addressable? Unique identifier for each user Technical controls Emergency Access Auto log off and other security related issues

25 Use system to audit activity Track specific activities based on risk (e.g. break the glass) Document process and audit results

26 Integrity Protect information Track modifications Determine methods for proper authentication Methods to properly authenticate ePHI Addressable Legal risk Transmission security Data sent from the organization

27 Risk Assessment Define the process (what constitutes a low risk of compromise) nts/ahima/bok1_050335.hcsp?dDocName=bok1_050335 nts/ahima/bok1_050335.hcsp?dDocName=bok1_050335 Notification Individual Others as applicable

28 45 CFR §164.502 General Rule (a) Standard. A covered entity or business associate may not use or disclose protected health information, except as permitted or required by this subpart or by subpart C of part 160 of this subchapter. Notice of Privacy Practices (NPP) 45 CFR §164.520 Notice of privacy practices for protected health information. Defines your HIPAA rules

29 Training Sanctions Protect data Mitigate damages Non-retaliation Process for things listed in NPP (Accounting of disclosures, opt. out, copies of records, amendment, restrictions, etc.)

30 idx?SID=f97320836308edcaaff61071d30ec1ba&tpl=/ecfr browse/Title45/45cfr164_main_02.tpl (45 CFR § 164, retrieved 8/6/2014) idx?SID=f97320836308edcaaff61071d30ec1ba&tpl=/ecfr browse/Title45/45cfr164_main_02.tpl

Download ppt "Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC."

Similar presentations

Ads by Google