Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA: So You Think You’re Compliant September 1, 2011 Carolyn Heyman-Layne, J.D.

Published byMorris Cole Modified over 7 years ago

Similar presentations

Presentation on theme: "HIPAA: So You Think You’re Compliant September 1, 2011 Carolyn Heyman-Layne, J.D."— Presentation transcript:

1 HIPAA: So You Think You’re Compliant September 1, 2011 Carolyn Heyman-Layne, J.D.

2 HIPAA Compliance Compliance is more than a Notice of Privacy Practices… Privacy Rule – Been there, done that, right? –Recent changes/proposed rule Security Rule – Been there? Done that? –Full risk analysis Breach Notification – Hope you don’t go there… –Missing addresses? Time to alert the media!

3 Privacy Rule: The Basics Notice of Privacy Practices –Updated? –Acknowledged? –Provided? Authorizations –HIPAA Compliant –Properly retained Policies –Updated? –Training? Business Associate Agreements –Organized, updated, appropriate?

4 Privacy Rule: Patient Rights Under HIPAA Inspect and copy PHI Request amendments of errors or incomplete information Obtain accounting of disclosures Obtain a list of persons who have accessed PHI electronically Request a restriction of uses/disclosures –HITECH change Receive confidential communications Receive Notice of Privacy Practices File written complaints 4

5 Changes to Privacy Rule: Accounting of disclosures Proposed Rule divides patient rights into: –(a) Individual’s rights to accounting of disclosures –(b) Individual’s right to an access report Disclosures would: –Be limited to designated record sets –Include business associates –Have an accounting period of 3 years –Specifically list types of disclosures 5

6 Changes to Privacy Rule: Business Associates Business Associates are now directly subject to HIPAA Are you a business associate? Are you in compliance with HIPAA?

7 Security Rule Safeguards: How they Apply Security Rule –Administrative Safeguards – who can access? –Physical Safeguards – how can access be physically prevented? –Technical Safeguards – what programs protect access? Required v. Addressable Conducting a Risk Analysis Documenting the Risk Analysis

8 Security Safeguards 45 CFR Part 164 – Generally requires ensuring confidentiality, integrity and availability of PHI, and protections against reasonably anticipated threats, unauthorized uses, etc. Applicable to covered entities, business associates, others (via grant or contract) Safeguards Example: –Standard (Security management process) –Implementation Specifications Risk analysis (required) Risk management (required) Sanction policy (required) Information system activity review (required)

9 Flexibility of Approach Required v. Addressable –If something is required, all covered entities must implement –If something is addressable, covered entity must: Assess whether it is a reasonable and appropriate safeguard Implement if reasonable and appropriate If not reasonable and appropriate: –Document why; and –Implement alternative if available, reasonable and appropriate Review and revise as necessary May want to use for paper PHI as well, but not required

10 Flexibility of Approach In determining what is reasonable and appropriate, must look at: –Size, complexity and capabilities –Technical infrastructure, hardware and software –Costs of security measures –Probability and criticality of potential risks –Likely contribution to protecting the ePHI Important to reassess as organization changes –Growth –Changes in focus –Changes in technology –Changes in information stored

11 Risk Analysis: Recent Guidance Office for Civil Rights posted guidance pursuant to HITECH requirement on July 14, 2010 First in a series of guidance to implement Security Rule safeguards Some NIST recommendations incorporated Not required to follow, but need to document why not –May have already conducted a risk analysis in different format –May not be appropriate for your organization

12 Risk Analysis (Required) 164.308(a)(1)(ii)(A): –Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information held by the organization. What is “accurate”? What is “thorough”? All potential risks? ePHI “held by the organization”

13 Where to start? Get the right people involved: –Management –IT –HR –Medical records personnel –EHR experts Identify the ePHI in your client’s organization*: –EHR program –Emails –Documents (word, excel, etc.) –Databases –Metadata *mentioned in OCR guidance

14 What next? Identify where ePHI is generated: –Internally –Externally – what are the external sources?* Inventory the equipment with ePHI: –Laptops –Desktops –Hard drives –Servers –Mobile devices –Copiers, faxes, scanners

15 What resources do we need? Gather the applicable documentation: –Security Rule –Organization Policies and Procedures –List of staff –Computer manuals & EHR instructions –IT/Compliance budget information –Cost information for available technology –Information about alternatives –Old audit reports or information about risks* Human risks Natural/environmental risks Technical risks

16 Required Elements of Risk Analysis Scope of the Analysis Data Collection Identify and Document Potential Threats and Vulnerabilities Assess Current Security Measures Determine the Likelihood of Threat Occurrence Determine the Potential Impact of Threat Occurrence Determine the Level of Risk Finalize Documentation Periodic Review and Update

17 How to Document Risk Analysis Set up a template – many safeguards will consider the same information, same underlying documentation and same risks Make a list of all safeguards that you are already in compliance – these can be taken off the risk analysis list Make a list of all the remaining safeguards –If there are a lot, prioritize –If there are only a few consider benefit of implementation vs. performing risk analysis Make master list that indicates compliance and/or risk assessment

18 HIPAA Breach Notification Rule Interim Rule effective Sept. 23, 2009 Final Rule ready May 2010, but withdrawn from OMB review before published Interim Rule still in effect until Final Rule is published http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificatio nrule/index.html 18

19 HIPAA Breach Notification Rule 19

20 HITECH Breach Reporting Only covers unsecured protected health information Written notification More than 500 affected requires notice to media Notice within 60 days of discovery Specific notice requirements Notice to HHS or annual log of breaches

21 What is a “breach”? Acquisition, access, use or disclosure of PHI in a manner not permitted under HIPAA, which compromises the security or privacy of the PHI. Only applies to “unsecured PHI”, such as unencrypted data on a laptop, etc.

22 Exceptions to Breach Secured PHI Unintentional, good faith acquisition, access or use by person working under authority of covered entity, if within scope of authority and no further use or disclosure. Disclosures within same entity, or between entity and business associate or OHCA, under same terms. Good faith belief that no information could have been retained.

23 Reporting is Required – How Do We Do It? Reporting Methods Written notification by first class mail, unless individual has agreed to electronic communication. Website or major media if insufficient contact info for more than 10 people. Media notification required if more than 500 affected. Reporting details Within 60 days of discovery of breach. Must include: –Brief description of breach including date of breach and date of discovery. –Description of PHI involved. –Steps individual should take to protect themselves. –Brief description of mitigation, investigation and protection measures taken by entity. –Contact info for questions, including toll-free phone, email, website or address.

24 Web Resources for HIPAA DHHS Office of Civil Rights http://www.hhs.gov/ocr/privacy/http://www.hhs.gov/ocr/privacy/ –Rules (Privacy, Security, Breach Notification) –FAQs and other informal guidance –Understanding HIPAA Privacy – Covered Entities –Enforcement Activities –Privacy Complaints –Proposed Rules: Google “Proposed HIPAA Regulations” – hhs.gov or other sources only Sign up for listserv: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentiti es/listserv.html http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentiti es/listserv.html 24

25 Web Resources for HIPAA 25

26 DHHS New(er) Websites Health Data Privacy and Security Resources http://www.hhs.gov/healthprivacy/index.html http://www.hhs.gov/healthprivacy/index.html –Privacy policies, HIPAA, Privacy & Security Framework Office of the National Coordinator for HIT http://healthit.hhs.gov/portal/server.pt/community/healthit_hhs_ gov__home/1204 http://healthit.hhs.gov/portal/server.pt/community/healthit_hhs_ gov__home/1204 –HITECH, Funding, Email updates, Regulations 26

27 DHHS New(er) Websites 27

28 Questions? Carolyn Heyman-Layne Sedor, Wendlandt, Evans & Filippi, LLC Heyman-layne@alaskalaw.pro (907) 677-3600 www.alaskalaw.pro

Download ppt "HIPAA: So You Think You’re Compliant September 1, 2011 Carolyn Heyman-Layne, J.D."

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
The Department has declared itself to be a single covered entity. Thus, each and every one of our divisions is a covered entity and must comply with.

The Department has declared itself to be a single covered entity. Thus, each and every one of our divisions is a covered entity and must comply with.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
HIPAA What’s New? 2010. What Is HIPAA Health Insurance Portability and Accountability Act of 1996 Health Insurance Portability and Accountability Act.

HIPAA What’s New? What Is HIPAA Health Insurance Portability and Accountability Act of 1996 Health Insurance Portability and Accountability Act.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.

Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.

Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.
Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.

Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.

2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Hot Topics Legal Update Jill D. Moore, JD, MPH University of North Carolina School of Government September 2014.

Hot Topics Legal Update Jill D. Moore, JD, MPH University of North Carolina School of Government September 2014.
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.

Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.

Similar presentations

Ads by Google