Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.

Published byCiera Richey Modified over 9 years ago

Similar presentations

Presentation on theme: "Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1."— Presentation transcript:

1 Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1

2  HIPAA  42 CFR Part 2  Other potential privacy laws: Privacy Act, FERPA, AK PIPA, other State laws  Other healthcare liability concerns for management and board members  Effective compliance plans 2

3 42 CFR Part 2 State LawHIPAA Least Strict Most Strict HIPAA is usually the minimum for confidentiality, and 42 CFR Part 2 is usually the maximum. 3

4  The Health Insurance Portability and Accountability Act of 1996 (HIPAA) contains three parts: Privacy Rule  Who can access medical records and why? Security Rule  Are the medical records properly and safely stored? Transactions and Code Set Standards  Are healthcare transactions conducted under the proper standards? 4

5  To protect the rights of consumers and control inappropriate use of health information  To improve quality of health care by restoring trust in the system  To improve efficiency and effectiveness of health care delivery 5

6  Quick summary of key concepts: HIPAA applies to Covered Entities. Covered Entities are required to protect Protected Health Information. Uses and disclosures are allowed for treatment, payment and health care operations. 6

7  Privacy Rule obligations are imposed only on Covered Entities: Health plans Health care providers Health care clearinghouses  Persons who are not Covered Entities may still be affected by HIPAA  Persons who do not handle health information may still be subject to HIPAA 7

8  HIPAA governs the use and disclosure of protected health information (PHI)  PHI is individually identifiable health information (IIHI), written or oral.  PHI excludes information in education records covered by the Family Educational Rights and Privacy Act, and employment records held by a covered entity in its role as employer. 8

9  A Covered Entity may use and disclose PHI without patient permission for treatment, payment, and health care operations (TPO).  These terms are broadly defined and can apply to a number of uses and disclosures. 9

10  The Privacy Rule generally requires covered entities take reasonable steps to limit use or disclosure to the minimum necessary to accomplish the intended purpose.  Disclosures for treatment purposes or pursuant to an authorization are excluded from the minimum necessary requirements.  Covered entity decides the minimum necessary! 10

11  In addition to treatment, payment and healthcare operations, Covered Entities can disclose PHI to Business Associates.  Business Associate: A person other than a member of the Covered Entity’s workforce who performs a function or activity on behalf of a Covered Entity involving the use or disclosure of PHI. 11

12  It is the responsibility of the Covered Entity to enter into Business Associate Agreements with their business associates.  Business Associate Agreement can be separate document or included as provision in larger contract.  Covered Entity may be a business associate, as well as a covered entity. 12

13  Provide information to patients about their privacy rights and how their information can be used (Notice of Privacy Practices).  Adopt clear privacy procedures.  Train employees to understand privacy procedures.  Protect patient records that contain IIHI.  Report breaches of PHI. 13

14  The Security Rule was enacted to physically protect health information.  Focuses on administrative, physical and technical security of information. Administrative: Employee access rights Physical: Workstation locations Technical: Automatic logoff  HITECH – HIPAA now includes breach reporting requirements. 14

15  Conduct Risk Assessment  Security Management Process  Assigned Security Responsibility  Access Authorization  Termination  Awareness & Training  Security Incidents  Contingency Plans  Evaluation  Business Associate Agreements 15

16  Facility Walkthrough  Security Plan  Contingency Operations – can be part of overall emergency response plan  Maintenance records  Workstations  Disposal & Destruction  Backup & Copy  Reuse & Recycling of Equipment  Encyrption& Decryption 16

17  Access controls  Automatic Logoff  Termination  Audit Controls  Integrity  Person or Entity Authentication  Data Transmission 17

18 HITECH/HIPAA  Acquisition, access, use or disclosure of PHI in a manner not permitted under HIPAA, which compromises the security or privacy of the PHI.  Only applies to “unsecured PHI”, such as unencrypted data on a laptop, etc. AK PERSONAL INFORMATION PROTECTION ACT (AK PIPA)  Unauthorized acquisition, or reasonable belief of unauthorized acquisition of personal information that compromises the security, confidentiality or integrity of the personal information.  Only applies to “personal information”: not encrypted or redacted; combination of name and identifying number (SSN, DL#, credit card or bank account, etc.) 18 Privacy breach insurance is available!!!

19 HITECH  Only covers unsecured protected health information  Written notification  More than 500 affected requires notice to media  Notice within 60 days of discovery  Specific notice requirements  Notice to HHS or annual log of breaches AK PIPA  Covers “personal information” if reasonable likelihood of harm  Written or electronic notice  More than 300,000 requires notice to media  Requires reporting to AG even if no harm caused  Make sure this is covered in business associate agreements and vendor contracts 19

20  Do you receive federal assistance? If no, no further analysis necessary, you are not a 42 CFR Part 2 Program.  If yes, does any of your federal funding go to substance abuse treatment? Separate substance abuse programs; OR Individuals, entities, or units within a facility or organization that hold themselves out as providing alcohol or drug abuse diagnosis, treatment or referral for treatment  It is the kind of services provided and the general reputation or promotion of the program, not the name or description of the program that defines whether 42 CFR Part 2 applies. 20

21 HIPAA  Covered Entities  Protected Health Information (PHI)  Protects medical record numbers  Allows disclosures without authorization for treatment, payment and healthcare operations  Business Associate Agreements 42 CFR PART 2  Part 2 Programs  Information that identifies substance abuser  Does not protect medical record numbers  Does not allow any disclosure without consent except in very limited special circumstances  Qualified Service Organization Agreements 21

22  Privacy Act of 1974 – primarily Alaska Native programs, but also Federal agencies  Alaska Personal Information Protection Act  FERPA – Family Educational Rights and Privacy Act – schools  State laws re: substance abuse, behavioral health, etc. 22

23  Management needs to understand how to implement and comply with these laws  Your board may encounter health information as well: Grievance procedures Discussion of compliance issues Direct patient contact  Case law has established a board’s duty to oversee a compliance program for healthcare organizations.  The Board is ultimately responsible, but management is responsible for getting them information. 23

24  The more regulation, the higher the possibility of violations (intentional or unintentional)  Compliance programs help to mitigate those risks  Government has increased money and resources for enforcing the regulations 24

25  Effectively prevent, detect and correct noncompliance  Also prevent and address fraud, waste and abuse  Effective communication among all staff and leadership  Seven Elements of an Effective Compliance Program 25

26  Written policies and procedures  Compliance officer, committee and high- level oversight  Effective training and education  Effective lines of communication  Well-publicized disciplinary standards  Effective system for routine monitoring and auditing  Prompt response to compliance issues 26

27  Develop written compliance program  Develop employee standards and code of conduct  Establish and train compliance committee may vary depending on size of organization  Distribute standards and code of conduct  Conduct Board/owners training  Conduct employee training, including info on how to access compliance documents  Conduct specialized training as necessary  Establish systems for monitoring 27

28  Periodically review compliance program, employee standards and code of conduct  Ensure that employee training is conducted and documented  Manage and monitor employee reporting process  Provide ongoing training, as needed  Ensure that compliance related files are maintained as described in plan  Ensure that monitoring and auditing systems are in place and working  Make periodic reports to the Board/owners regarding compliance, even if no violations 28

29  What laws apply to your organization?  What programs are in place to ensure compliance with those laws?  Who are the key employees responsible for compliance?  How and when do compliance issues get reported?  What are the goals of the compliance program? 29

30  What are the risks to the organization?  What resources are necessary to address those risks?  Have policies and procedures been implemented to address risks and laws?  Have training programs been implemented?  Is the Board informed of changes to regulatory and industry requirements that affect risk? 30

31  Circumstances differ, but basic duty of compliance oversight exists for almost all boards.  Appropriate processes need to be in place to make sure board receives appropriate and objective info in timely manner. 31

32  If there is a specific issue, ask for more information, outside expert review, whatever is necessary and reasonable to address the issue  Ask for regular reports and updates on the situation  Form an ad hoc committee to address, as necessary – may want a regular compliance committee 32

33  After reporting, how are issues addressed?  Are corrective actions taken in response?  How does the organization evaluate and investigate suspected violations?  Are there protections for whistleblowers?  Does the organization and environment encourage reporting?  Are employees sanctioned appropriately? 33

34  Are there guidelines for reporting violations to the Board?  Does the Board receive enough information to evaluate the appropriateness of the organization’s response?  Is there a policy regarding reporting to government and outside authorities? 34

35 Questions? 35

Download ppt "Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1."

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
Confidentiality and HIPAA

Confidentiality and HIPAA
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) 252-9321; Victoria Nemerson.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna 412-396-4419.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.

HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Are you ready for HIPPO??? Welcome to HIPAA

Are you ready for HIPPO??? Welcome to HIPAA
August 10, 2001 NESNIP PRIVACY WORKGROUP HIPAA’s Minimum Necessary Standard Presented by: Mildred L. Johnson, J.D.

August 10, 2001 NESNIP PRIVACY WORKGROUP HIPAA’s Minimum Necessary Standard Presented by: Mildred L. Johnson, J.D.

Similar presentations

Ads by Google