ArchCare HIPAA Compliance Training
Learning Objectives After this course and presentation, you the participant will be able to: Recall the definition of the term HIPAA. Recall the different provision of the law contained in HIPAA regulations. Recall how HIPAA affects our organization and each individual associate. Define what Protected Health Information is. Identify protected health Information. Recall the meaning of the term PHI. Safeguard Health Protected Information. Recall key components of the Privacy and Security Policy.
Purpose of this Course This HIPAA training program has been developed to give you information and training concerning the: Health Insurance Portability and Accountability Act of 1996 (HIPAA) HIPAA affects the way we handle specific client data It is our responsibility to ensure that any Protected Health Information (PHI) is safeguarded and not disclosed while in our possession. This course has been developed to help you learn the basics about HIPAA. We appreciate your effort in helping us become HIPAA ready.
What is HIPAA? A Federal Law enacted in 1996 Acronym for – “Health Insurance Portability and Accountability Act Enacted to safeguard Protected Health Information Contains severe penalties for both intentional and unintentional violations
What is HIPAA? Contains guidelines for confidentiality of PHI (Protected Health Information) The privacy portion of HIPAA became effective April 14, 2003 Mandates uniform standards and formats for electronic health information and code sets for routine types of health transactions
How does HIPAA affect ArchCare & You? We all must abide by certain rules and regulations that protect the privacy and healthcare information, particularly Protected Health Care Information (PHI) This information may come to us in the form of databases, patient information sheets or electronically HIPAA policies and procedures have been developed to specify how we will safeguard PHI while it is in our areas
What is Protected Information? Name Address SSN Clinical Notes Etc It may come in Emails Faxes Other correspondence
What actions must we take to safeguard media containing PHI? A key word in the HIPAA regulations is ‘REASONABLE’ REASONABLE steps REASONABLE effort Our policies and procedures contain reasonable steps to meet the rules and regulations of the HIPAA Privacy Standard
What are reasonable safeguards? All established procedures for your department must be followed in handling and safeguarding PHI in any form, including from an FTP site, electronically, or media (Portable Hard Drives, iPads, tablets, laptops, DVDs, CDs, tapes, CD-ROMs, etc.) PHI should NEVER be left open, accessible or in plain view.
Penalties for Non-Compliance? Employees are to understand HIPAA and also take it seriously CMS, AHCA and the OIG have outlined severe penalties for HIPAA violations
What are the Penalties? Unintentional Disclosure As the law is now written, the penalty is $100 per occurrence Disciplinary action will be taken, up to and including termination.
What are the Penalties? Intentional Disclosure A fine of up to $250,000 may be imposed with the possibility of 10 years in prison An employee’s employment with the company will be terminated.
Immediately notify your Supervisor What to do? Immediately notify your Supervisor
What is a business associate? A person or organization that performs a function on behalf of a covered entity (our doctors, for example) but is not part of the entity’s (the doctor’s) workforce. Any organization that handles a doctor’s PHI, regardless of format, is considered his or her Business Associate.
What is a BAA? Business Associate Agreement The HIPAA Privacy Standard permits disclosure of PHI to Business Associates of the doctor’s PHI after obtaining a satisfactory BAA from the business associate.
Business Associate Agreement Do Doctors Need a BAA? Short Answer: Yes Will all Entities Require a BAA? YES! Business Associate Agreement
HIPAA Actions at ArchCare Compliance Officer Policies and Procedures Implementing Rules and Regulations
Example of HIPAA
Summary of HIPAA Standard Rule The summary of the HIPAA Security Standards Rule begins: This final rule adopts standards for the security of electronic protected health information to be implemented by health plans, health care clearinghouses, and certain health care providers. The use of the security standards will improve the Medicare and Medicaid programs, and other Federal health programs and private health programs, and the effectiveness and efficiency of the health care industry in general by establishing a level of protection for certain electronic health information. This final rule implements some of the requirements of the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Purpose and Rationale What is the Purpose? The Security Standards rule is to adopt national standards for safeguards to protect the confidentiality, integrity, and availability of electronic protected health information. WHY? Because there were no standard measures existing in the health care industry that addressed all aspects of the security of electronic protected health information while it is in use, in storage, or during the exchange of that information between entities. Because HIPAA mandated security standards to protect an individual's health information, while permitting the appropriate access and use of that information by health care providers, clearinghouses, and health plans.
What does enforcement look like? The enforcement process for HIPAA transactions and code will be primarily complaint driven. Process Upon receipt of a complaint, CMS will notify the provider of the complaint, and the provider would have the opportunity to demonstrate compliance, or to submit a corrective action plan. If Then The provider does neither CMS will have the discretion to impose penalties
Privacy versus Security under HIPAA PHI in paper, oral and electronic form Only electronic PHI Extend to the personnel of a covered entity even if they work at home Minimum level of documentation that must be retained for 10 years
More About the Security Rule Breakdown of HIPAA Security Standards Key Point The Security Rule requires Covered Entities to conduct a Risk Analysis of their electronic equipment and to develop policies and procedures to protect PHI on these systems. Technical (21%): 4 Required 5 Addressable Administrative (55%) 12 Required 11 Addressable Physical (24%) 6 Addressable
Addressable Implementation Specifications Covered entities must assess if an implementation specification is reasonable and appropriate based on such factors as: Risk Analysis Security Controls The Cost of Implementation
Addressable Implementation Specs If Then The implementation specification is determined to be reasonable and appropriate, The covered entity should implement it If the implementation is not reasonable and appropriate, Then the covered entity should: Step Action 1 Document why it would not be reasonable to implement 2 Implement an equivalent alternative measure if reasonable and appropriate 3 Do not implement and explain, in detail, why, in your documentation
Policy and Procedure Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in §164.306(b)(i),(ii),(iii) and (iv) This standard is not to be construed to permit or excuse an action that violates any other standard, implementation spec or other requirements of this subpart A covered entity may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart.
HIPAA Security Policy Sanction Policy An employee who inadvertently leads to the compromising or breach of ePHI will receive the following sanctions: 1st occurrence – verbal warning from supervisor 2nd occurrence – written warning from supervisor and copy of warning put in the employee’s official company file Additional occurrences – suspension or other actions up to an including termination of employment
HIPAA Security Rules Policies (Cont) Access Authorization Policy: Access to information must be granted based on an individual’s job responsibilities. Access control features, where available, must be implemented to allow users access to only the data and functions required to perform their duties.
HIPAA Security Rules Policies (Cont) Protection from Malicious Software Policy: Applies to: All PCs (desk tops, lap tops) Servers Internet gateways Email servers Smart phones, iPads, tablets What to do if you have a virus? NOTE: Backup copies of production software and data will be readily available in the event that a computer needs to be restored due to a virus
HIPAA Security Rules Policies (Cont) Password Management Policy: Unique User ID Passwords must be kept in confidence Do NOT write any password on a sticky note and post it in your work area! Unacceptable passwords include: ‘password’, ‘1234’, ‘first initial last name’, ‘qwerty’, birthdays, children’s names and many others Complete sentences are the best passwords
HIPAA Security Rules Policies (Cont) Security Incident Procedures: If Then A breach of a system or unintentional release of electronic PHI occur Immediate notification of the HIPAA Compliance Officer, which is the same as your entity Compliance Officer Actions will be taken immediately by appropriate department to minimize the damage done by the breach or disclosure. Appropriate individuals will complete the Incident Report Form. Note All actions taken by an employee concerning this incident will be well documented and copies provided to the HIPAA Compliance Officer All actions taken will be completely documented
HIPAA Security Rules Policies (Cont) Access Control and Validation Procedures An I.D./access badge will be issued to each employee. The access badge must be worn at all times while on Company property. When employment ends, the access badge must be returned immediately. The badge must be deleted from the access system immediately.
HIPAA Security Rules Policies (Cont) Workstation Use and Security Policies: All employees will implement workstation locking with screen save on all computers: When walking away from your computer, hit “Control + Alt + Delete”, then “Lock this Computer” Consult IT for Locking Assistance Remember: LOCK IF YOU WALK!
HIPAA Security Rules Policies (Cont) Unique User Identification Policy: All users are required to login to systems before usage is granted. All users must login with unique username and password.
HIPAA Security Rules Policies (Cont) Controlled Access
HIPAA Security Rules Policies (Cont) Dan Doctor, MD Physician ArchCare Advantage ArchCare Picture Name Position Organization Access badge must be displayed at all times while on Company property.
HIPAA Security Rules Policies (Cont) Device and Media Disposal Policy This policy will apply to: PDAs Laptops iPads and Tablets Desktop Computers Backup Tape and Disks Flash Drives If a hard drive or media cannot be cleaned as described, it will be physically destroyed in a manner that will make it completely unusable and unrecoverable.
HIPAA Security Rules Policies (Cont) Encryption Policy All files that contain PHI that are sent over public networks will be encrypted Where possible, strong encryption such as SSL, PGP or AES are used to secure files before transmission.
Impact of not complying with the HIPAA Security Final Rule What’s the Impact? Impact of not complying with the HIPAA Security Final Rule Possible litigation or other law suits Loss of Public confidence Penalties Civil monetary for each violation of a standard Criminal for wrongful disclosure of PHI Other actions may be forthcoming
In Review Today we have studied: The definition of the term HIPAA The different provisions of law contained in HIPAA regulations How HIPAA affects our organization and each individual employee The meaning of the term PHI How to safeguard PHI The key components of Privacy and Security Policy
Thank You for Your Time