Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.

Similar presentations

Presentation on theme: "Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1."— Presentation transcript:

1 Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1

2  HIPAA  42 CFR Part 2  Other potential privacy laws: Privacy Act, FERPA, AK PIPA, other State laws  Other healthcare liability concerns for management and board members  Effective compliance plans 2

3 42 CFR Part 2 State LawHIPAA Least Strict Most Strict HIPAA is usually the minimum for confidentiality, and 42 CFR Part 2 is usually the maximum. 3

4  The Health Insurance Portability and Accountability Act of 1996 (HIPAA) contains three parts: Privacy Rule  Who can access medical records and why? Security Rule  Are the medical records properly and safely stored? Transactions and Code Set Standards  Are healthcare transactions conducted under the proper standards? 4

5  To protect the rights of consumers and control inappropriate use of health information  To improve quality of health care by restoring trust in the system  To improve efficiency and effectiveness of health care delivery 5

6  Quick summary of key concepts: HIPAA applies to Covered Entities. Covered Entities are required to protect Protected Health Information. Uses and disclosures are allowed for treatment, payment and health care operations. 6

7  Privacy Rule obligations are imposed only on Covered Entities: Health plans Health care providers Health care clearinghouses  Persons who are not Covered Entities may still be affected by HIPAA  Persons who do not handle health information may still be subject to HIPAA 7

8  HIPAA governs the use and disclosure of protected health information (PHI)  PHI is individually identifiable health information (IIHI), written or oral.  PHI excludes information in education records covered by the Family Educational Rights and Privacy Act, and employment records held by a covered entity in its role as employer. 8

9  A Covered Entity may use and disclose PHI without patient permission for treatment, payment, and health care operations (TPO).  These terms are broadly defined and can apply to a number of uses and disclosures. 9

10  The Privacy Rule generally requires covered entities take reasonable steps to limit use or disclosure to the minimum necessary to accomplish the intended purpose.  Disclosures for treatment purposes or pursuant to an authorization are excluded from the minimum necessary requirements.  Covered entity decides the minimum necessary! 10

11  In addition to treatment, payment and healthcare operations, Covered Entities can disclose PHI to Business Associates.  Business Associate: A person other than a member of the Covered Entity’s workforce who performs a function or activity on behalf of a Covered Entity involving the use or disclosure of PHI. 11

12  It is the responsibility of the Covered Entity to enter into Business Associate Agreements with their business associates.  Business Associate Agreement can be separate document or included as provision in larger contract.  Covered Entity may be a business associate, as well as a covered entity. 12

13  Provide information to patients about their privacy rights and how their information can be used (Notice of Privacy Practices).  Adopt clear privacy procedures.  Train employees to understand privacy procedures.  Protect patient records that contain IIHI.  Report breaches of PHI. 13

14  The Security Rule was enacted to physically protect health information.  Focuses on administrative, physical and technical security of information. Administrative: Employee access rights Physical: Workstation locations Technical: Automatic logoff  HITECH – HIPAA now includes breach reporting requirements. 14

15  Conduct Risk Assessment  Security Management Process  Assigned Security Responsibility  Access Authorization  Termination  Awareness & Training  Security Incidents  Contingency Plans  Evaluation  Business Associate Agreements 15

16  Facility Walkthrough  Security Plan  Contingency Operations – can be part of overall emergency response plan  Maintenance records  Workstations  Disposal & Destruction  Backup & Copy  Reuse & Recycling of Equipment  Encyrption& Decryption 16

17  Access controls  Automatic Logoff  Termination  Audit Controls  Integrity  Person or Entity Authentication  Data Transmission 17

18 HITECH/HIPAA  Acquisition, access, use or disclosure of PHI in a manner not permitted under HIPAA, which compromises the security or privacy of the PHI.  Only applies to “unsecured PHI”, such as unencrypted data on a laptop, etc. AK PERSONAL INFORMATION PROTECTION ACT (AK PIPA)  Unauthorized acquisition, or reasonable belief of unauthorized acquisition of personal information that compromises the security, confidentiality or integrity of the personal information.  Only applies to “personal information”: not encrypted or redacted; combination of name and identifying number (SSN, DL#, credit card or bank account, etc.) 18 Privacy breach insurance is available!!!

19 HITECH  Only covers unsecured protected health information  Written notification  More than 500 affected requires notice to media  Notice within 60 days of discovery  Specific notice requirements  Notice to HHS or annual log of breaches AK PIPA  Covers “personal information” if reasonable likelihood of harm  Written or electronic notice  More than 300,000 requires notice to media  Requires reporting to AG even if no harm caused  Make sure this is covered in business associate agreements and vendor contracts 19

20  Do you receive federal assistance? If no, no further analysis necessary, you are not a 42 CFR Part 2 Program.  If yes, does any of your federal funding go to substance abuse treatment? Separate substance abuse programs; OR Individuals, entities, or units within a facility or organization that hold themselves out as providing alcohol or drug abuse diagnosis, treatment or referral for treatment  It is the kind of services provided and the general reputation or promotion of the program, not the name or description of the program that defines whether 42 CFR Part 2 applies. 20

21 HIPAA  Covered Entities  Protected Health Information (PHI)  Protects medical record numbers  Allows disclosures without authorization for treatment, payment and healthcare operations  Business Associate Agreements 42 CFR PART 2  Part 2 Programs  Information that identifies substance abuser  Does not protect medical record numbers  Does not allow any disclosure without consent except in very limited special circumstances  Qualified Service Organization Agreements 21

22  Privacy Act of 1974 – primarily Alaska Native programs, but also Federal agencies  Alaska Personal Information Protection Act  FERPA – Family Educational Rights and Privacy Act – schools  State laws re: substance abuse, behavioral health, etc. 22

23  Management needs to understand how to implement and comply with these laws  Your board may encounter health information as well: Grievance procedures Discussion of compliance issues Direct patient contact  Case law has established a board’s duty to oversee a compliance program for healthcare organizations.  The Board is ultimately responsible, but management is responsible for getting them information. 23

24  The more regulation, the higher the possibility of violations (intentional or unintentional)  Compliance programs help to mitigate those risks  Government has increased money and resources for enforcing the regulations 24

25  Effectively prevent, detect and correct noncompliance  Also prevent and address fraud, waste and abuse  Effective communication among all staff and leadership  Seven Elements of an Effective Compliance Program 25

26  Written policies and procedures  Compliance officer, committee and high- level oversight  Effective training and education  Effective lines of communication  Well-publicized disciplinary standards  Effective system for routine monitoring and auditing  Prompt response to compliance issues 26

27  Develop written compliance program  Develop employee standards and code of conduct  Establish and train compliance committee may vary depending on size of organization  Distribute standards and code of conduct  Conduct Board/owners training  Conduct employee training, including info on how to access compliance documents  Conduct specialized training as necessary  Establish systems for monitoring 27

28  Periodically review compliance program, employee standards and code of conduct  Ensure that employee training is conducted and documented  Manage and monitor employee reporting process  Provide ongoing training, as needed  Ensure that compliance related files are maintained as described in plan  Ensure that monitoring and auditing systems are in place and working  Make periodic reports to the Board/owners regarding compliance, even if no violations 28

29  What laws apply to your organization?  What programs are in place to ensure compliance with those laws?  Who are the key employees responsible for compliance?  How and when do compliance issues get reported?  What are the goals of the compliance program? 29

30  What are the risks to the organization?  What resources are necessary to address those risks?  Have policies and procedures been implemented to address risks and laws?  Have training programs been implemented?  Is the Board informed of changes to regulatory and industry requirements that affect risk? 30

31  Circumstances differ, but basic duty of compliance oversight exists for almost all boards.  Appropriate processes need to be in place to make sure board receives appropriate and objective info in timely manner. 31

32  If there is a specific issue, ask for more information, outside expert review, whatever is necessary and reasonable to address the issue  Ask for regular reports and updates on the situation  Form an ad hoc committee to address, as necessary – may want a regular compliance committee 32

33  After reporting, how are issues addressed?  Are corrective actions taken in response?  How does the organization evaluate and investigate suspected violations?  Are there protections for whistleblowers?  Does the organization and environment encourage reporting?  Are employees sanctioned appropriately? 33

34  Are there guidelines for reporting violations to the Board?  Does the Board receive enough information to evaluate the appropriateness of the organization’s response?  Is there a policy regarding reporting to government and outside authorities? 34

35 Questions? 35

Download ppt "Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1."

Similar presentations

Ads by Google