2Learning ObjectivesAfter this course and presentation, you the participant will be able to:Recall the definition of the term HIPAA.Recall the different provision of the law contained in HIPAA regulations.Recall how HIPAA affects our organization and each individual associate.Define what Protected Health Information is.Identify protected health Information.Recall the meaning of the term PHI.Safeguard Health Protected Information.Recall key components of the Privacy andSecurity Policy.
3Purpose of this CourseThis HIPAA training program has been developed to give you information and training concerning the:Health Insurance Portability and Accountability Act of 1996 (HIPAA)HIPAA affects the way we handle specific client dataIt is our responsibility to ensure that any Protected Health Information (PHI) is safeguarded and not disclosed while in our possession.This course has been developed to help you learn the basics about HIPAA.We appreciate your effort in helping us become HIPAA ready.
4What is HIPAA? A Federal Law enacted in 1996 Acronym for – “Health Insurance Portability and Accountability ActEnacted to safeguard Protected Health InformationContains severe penalties for both intentional and unintentional violations
5What is HIPAA?Contains guidelines for confidentiality of PHI (Protected Health Information)The privacy portion of HIPAA became effective April 14, 2003Mandates uniform standards and formats for electronic health information and code sets for routine types of health transactions
6How does HIPAA affect ArchCare & You? We all must abide by certain rules and regulations that protect the privacy and healthcare information, particularly Protected Health Care Information (PHI)This information may come to us in the form of databases, patient information sheets or electronicallyHIPAA policies and procedures have been developed to specify how we will safeguard PHI while it is in our areas
7What is Protected Information? NameAddressSSNClinical NotesEtcIt may come insFaxesOther correspondence
8What actions must we take to safeguard media containing PHI? A key word in the HIPAA regulations is ‘REASONABLE’REASONABLE stepsREASONABLE effortOur policies and procedures contain reasonable steps to meet the rules and regulations of the HIPAA Privacy Standard
9What are reasonable safeguards? All established procedures for your department must be followed in handling and safeguarding PHI in any form, including from an FTP site, electronically, or media (Portable Hard Drives, iPads, tablets, laptops, DVDs, CDs, tapes, CD-ROMs, etc.)PHI should NEVER be left open, accessible or in plain view.
10Penalties for Non-Compliance? Employees are to understand HIPAA and also take it seriouslyCMS, AHCA and the OIG have outlined severe penalties for HIPAA violations
11What are the Penalties? Unintentional Disclosure As the law is now written, the penalty is $100 per occurrenceDisciplinary action will be taken, up to and including termination.
12What are the Penalties? Intentional Disclosure A fine of up to $250,000 may be imposed with the possibility of 10 years in prisonAn employee’s employment with the company will be terminated.
13Immediately notify your Supervisor What to do?Immediately notify your Supervisor
14What is a business associate? A person or organization that performs a function on behalf of a covered entity (our doctors, for example) but is not part of the entity’s (the doctor’s) workforce.Any organization that handles a doctor’s PHI, regardless of format, is considered his or her Business Associate.
15What is a BAA? Business Associate Agreement The HIPAA Privacy Standard permits disclosure of PHI to Business Associates of the doctor’s PHI after obtaining a satisfactory BAA from the business associate.
16Business Associate Agreement Do Doctors Need a BAA?Short Answer: YesWill all Entities Require a BAA?YES!Business Associate Agreement
17HIPAA Actions at ArchCare Compliance OfficerPolicies and ProceduresImplementing Rules and Regulations
19Summary of HIPAA Standard Rule The summary of the HIPAA Security Standards Rule begins:This final rule adopts standards for the security of electronic protected health information to be implemented by health plans, health care clearinghouses, and certain health care providers. The use of the security standards will improve the Medicare and Medicaid programs, and other Federal health programs and private health programs, and the effectiveness and efficiency of the health care industry in general by establishing a level of protection for certain electronic health information.This final rule implements some of the requirements of the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
20Purpose and Rationale What is the Purpose? The Security Standards rule is to adopt national standards for safeguards to protect the confidentiality, integrity, and availability of electronic protected health information.WHY?Because there were no standard measures existing in the health care industry that addressed all aspects of the security of electronic protected health information while it is in use, in storage, or during the exchange of that information between entities.Because HIPAA mandated security standards to protect an individual's health information, while permitting the appropriate access and use of that information by health care providers, clearinghouses, and health plans.
21What does enforcement look like? The enforcement process for HIPAA transactions and code will be primarily complaint driven.ProcessUpon receipt of a complaint, CMS will notify the provider of the complaint, and the provider would have the opportunity to demonstrate compliance, or to submit a corrective action plan.If ThenThe provider does neitherCMS will have the discretion to impose penalties
22Privacy versus Security under HIPAA PHI in paper, oral andelectronic formOnly electronic PHIExtend to the personnel of acovered entity even if theywork at homeMinimum level ofdocumentation that must beretained for 10 years
23More About the Security Rule Breakdown of HIPAA Security StandardsKey PointThe Security Rule requires Covered Entities to conduct a Risk Analysis of their electronic equipment and to develop policies and procedures to protect PHI on these systems.Technical (21%):4 Required5 AddressableAdministrative (55%)12 Required11 AddressablePhysical (24%)6 Addressable
24Addressable Implementation Specifications Covered entities must assess if an implementation specification is reasonable and appropriate based on such factors as:Risk AnalysisSecurity ControlsThe Cost of Implementation
25Addressable Implementation Specs IfThenThe implementation specification is determined to be reasonable and appropriate,The covered entity should implement itIf the implementation is not reasonable and appropriate,Then the covered entity should:StepAction1Document why it would not be reasonable to implement2Implement an equivalent alternative measure if reasonable and appropriate3Do not implement and explain, in detail, why, in your documentation
26Policy and ProcedureImplement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in § (b)(i),(ii),(iii) and (iv)This standard is not to be construed to permit or excuse an action that violates any other standard, implementation spec or other requirements of this subpartA covered entity may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart.
27HIPAA Security Policy Sanction Policy An employee who inadvertently leads to the compromising or breach of ePHI will receive the following sanctions:1st occurrence – verbal warning from supervisor2nd occurrence – written warning from supervisor and copy of warning put in the employee’s official company fileAdditional occurrences – suspension or other actions up to an including termination of employment
28HIPAA Security Rules Policies (Cont) Access Authorization Policy:Access to information must be granted based on an individual’s job responsibilities.Access control features, where available, must be implemented to allow users access to only the data and functions required to perform their duties.
29HIPAA Security Rules Policies (Cont) Protection from Malicious Software Policy:Applies to:All PCs (desk tops, lap tops)ServersInternet gatewaysserversSmart phones, iPads, tabletsWhat to do if you have a virus?NOTE: Backup copies of production software and data will be readily available in the event that a computer needs to be restored due to a virus
30HIPAA Security Rules Policies (Cont) Password Management Policy:Unique User IDPasswords must be kept in confidenceDo NOT write any password on a sticky note and post it in your work area!Unacceptable passwords include: ‘password’, ‘1234’, ‘first initial last name’, ‘qwerty’, birthdays, children’s names and many othersComplete sentences are the best passwords
31HIPAA Security Rules Policies (Cont) Security Incident Procedures:IfThenA breach of a system or unintentional release of electronic PHI occurImmediate notification of the HIPAA Compliance Officer, which is the same as your entity Compliance OfficerActions will be taken immediately by appropriate department to minimize the damage done by the breach or disclosure. Appropriate individuals will complete the Incident Report Form.NoteAll actions taken by an employee concerning this incident will be well documented and copies provided to the HIPAA Compliance OfficerAll actions taken will be completely documented
32HIPAA Security Rules Policies (Cont) Access Control and Validation ProceduresAn I.D./access badge will be issued to each employee.The access badge must be worn at all times while on Company property.When employment ends, the access badge must be returned immediately. The badge must be deleted from the access system immediately.
33HIPAA Security Rules Policies (Cont) Workstation Use and Security Policies:All employees will implement workstation locking with screen save on all computers:When walking away from your computer, hit “Control + Alt + Delete”, then “Lock this Computer”Consult IT for Locking AssistanceRemember: LOCK IF YOU WALK!
34HIPAA Security Rules Policies (Cont) Unique User Identification Policy:All users are required to login to systems before usage is granted.All users must login with unique username and password.
36HIPAA Security Rules Policies (Cont) Dan Doctor, MDPhysicianArchCare AdvantageArchCarePictureNamePositionOrganizationAccess badge must be displayed at all times while on Company property.
37HIPAA Security Rules Policies (Cont) Device and Media Disposal PolicyThis policy will apply to:PDAsLaptopsiPads and TabletsDesktop ComputersBackup Tape and DisksFlash DrivesIf a hard drive or media cannot be cleaned as described, it will be physically destroyed in a manner that will make it completely unusable and unrecoverable.
38HIPAA Security Rules Policies (Cont) Encryption PolicyAll files that contain PHI that are sent over public networks will be encryptedWhere possible, strong encryption such as SSL, PGP or AES are used to secure files before transmission.
39Impact of not complying with the HIPAA Security Final Rule What’s the Impact?Impact of not complying with the HIPAA Security Final RulePossible litigation or other law suitsLoss of Public confidencePenaltiesCivil monetary for each violation of a standardCriminal for wrongful disclosure of PHIOther actions may be forthcoming
40In Review Today we have studied: The definition of the term HIPAA The different provisions of law contained in HIPAA regulationsHow HIPAA affects our organization and each individual employeeThe meaning of the term PHIHow to safeguard PHIThe key components of Privacy and Security Policy