Presentation is loading. Please wait.

Presentation is loading. Please wait.

MU and HIPAA Compliance 101 Robert Morris VP Business Services Ion IT Group, Inc www.IonITGroup.com.

Published byEugenia Lyons Modified over 8 years ago

Similar presentations

Presentation on theme: "MU and HIPAA Compliance 101 Robert Morris VP Business Services Ion IT Group, Inc www.IonITGroup.com."— Presentation transcript:

1 MU and HIPAA Compliance 101 Robert Morris VP Business Services Ion IT Group, Inc www.IonITGroup.com

2 Agenda: 2 www.IonITGroup.com

3 3 Sometimes we have to do things even when we don’t want to… Odie 12/15/2011 www.IonITGroup.com

4 4 HIPAA Components Title 1 Portability Title II Admin Simplification Title III Med Savings Account Title IV Group Health Plan Provisions Title V Revenue Offset Provision Privacy since 4/03 EDI Security Compliant since 4/05 Transactions Code Sets Identifiers Use/Disclosure of PHI Individual Rights Administrative Requirements Admin Procedures Physical Safeguards Organizational Requirements Technical Safeguards HIPAA Components (est. 1996) www.IonITGroup.com

5 5 HIPAA Components (est. 1996) Title 1 Portability Title II Admin Simplification Title III Med Savings Account Title IV Group Health Plan Provisions Title V Revenue Offset Provision Privacy Compliant since 4/03 EDI Security Compliant since 4/05 Transactions Code Sets Identifiers Use/Disclosure of PHI Individual Rights Administrative Requirements Admin Procedures Physical Safeguards Technical Security Mechanisms Technical Security Service www.IonITGroup.com

6 Why Should We Care about Network Security? Potential for downtime and impact on patient care It’s both a State and Federal law The dreaded blank check scenario Possible fines for security breaches HIPAA requires we implement security measures to protect PHI on paper and electronically! Damage to reputation for security breaches (newspaper headlines) 6 www.IonITGroup.com

7 Headlines July 07, 2010 Conn. AG, Health Net Reach Settlement Over Medical Data Breach On Tuesday, insurer Health Net reached a $250,000 settlement with Connecticut Attorney General Richard Blumenthal (D), who sued the company after it lost a computer hard drive in 2009, Dow Jones/Wall Street Journal reports. T he hard drive contained medical and financial information on about 500,000 members from the state. (Solsman, Dow Jones/Wall Street Journal, 7/6). 7

8 Headlines June 2, 2010 “Many of the major healthcare information breaches reported since last September, when the HITECH Breach Notification Rule took effect, have involved the theft or loss of unencrypted laptops and other portable devices.” Terrell Herzig is HIPAA security officer at UAB Health System in Birmingham, Ala. 8

9 Agenda: 9 www.IonITGroup.com

10 10 Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. Meaningful Use Core Set verbiage says… www.IonITGroup.com

11 11 Aaaannd that means what??….. 164.308 - Administrative Safeguards 1.You must have a Security Management Process - a)Implement Policies and procedures to prevent, detect contain and correct security violations. 2.Risk Analysis - a)Conduct and accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by the covered entity. 3.Risk Management - a)Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 164.306(a). 4.Sanction Policy – a)Apply appropriate sanctions against workforce members who fail to comply with the security policies of the covered entity. 5.Information System Activity Review – a)Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. PS. Breach notification was effective 9/2009 Covered entities and business associates have the burden of proof to demonstrate that all required notifications have been provided or that a use or disclosure of unsecured protected health information did not constitute a breach. This section also requires covered entities to comply with several other provisions of the Privacy Rule with respect to breach notification. www.IonITGroup.com

12 How You Can Help Your Organization Keep the Network Secure 12 www.IonITGroup.com

13 User Access Control and Password Guidance Unique User ID All system access with your ID is YOUR responsibility. Password Guidelines Passwords must be a combination of upper and lower case letters, number and special characters. 13 Automatic Logoff Your EHR session should terminate after 15 minutes of inactivity.  Always save your work before leaving your workstation ! www.IonITGroup.com

14 Accounting for Disclosures Always indicate why treatment, payment, or authorization information is being disclosed. Minimum Necessary Rule: “…take reasonable steps to limit the use or disclosure of, and requests for, [PHI] to the minimum necessary to accomplish the intended purpose.” 14 www.IonITGroup.com

15 Tasks for the IT Dept Role-Based Access: Manage who gets access to what. Firewall Review: Make sure that communication with the outside world is secure. Wireless Security: Manage who gets WiFi access. Antivirus: Manage software to keep viruses and malware at bay. Server/Workstation Updates: Make sure all software gets appropriate updates to mitigate problems. 15 www.IonITGroup.com

16 Tasks for the IT Dept Backup: Keep a backup of all data, just in case! Backup Encryption: Make backup data unreadable to snoopers. Recovery: Have a plan in case disaster strikes! 16 www.IonITGroup.com

17 Summary Protecting data is everyone’s responsibility. Understand HIPAA. Hold each other accountable. 17 www.IonITGroup.com

18 18 Thank you for your time today! Robert Morris RMorris@IonITGroup.com 615.351.4796 www.IonITGroup.com

Download ppt "MU and HIPAA Compliance 101 Robert Morris VP Business Services Ion IT Group, Inc www.IonITGroup.com."

Similar presentations

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
Risk Assessment Robert Morris VP Business Services Ion IT Group, Inc www.IonITGroup.com.

Risk Assessment Robert Morris VP Business Services Ion IT Group, Inc
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
HIPAA What’s New? 2010. What Is HIPAA Health Insurance Portability and Accountability Act of 1996 Health Insurance Portability and Accountability Act.

HIPAA What’s New? What Is HIPAA Health Insurance Portability and Accountability Act of 1996 Health Insurance Portability and Accountability Act.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
Presented by the Office of the General Counsel An Overview of HIPAA.

Presented by the Office of the General Counsel An Overview of HIPAA.
HIPAA Security Regulations Jean C. Hemphill Ballard Spahr Andrews & Ingersoll, LLP November 30, 2004.

HIPAA Security Regulations Jean C. Hemphill Ballard Spahr Andrews & Ingersoll, LLP November 30, 2004.
Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.

Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
© 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2.5 HIPAA Legislation and its Impact on Physician Practices 2-15 The Health Insurance Portability.

© 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2.5 HIPAA Legislation and its Impact on Physician Practices 2-15 The Health Insurance Portability.
HIPAA Security Risk Overview Lynne Shoemaker, RHIA, CHP, CHC OCHIN Integrity Officer Daniel M. Briley, CISSP, CIPP Summit Security Group.

HIPAA Security Risk Overview Lynne Shoemaker, RHIA, CHP, CHC OCHIN Integrity Officer Daniel M. Briley, CISSP, CIPP Summit Security Group.
Are you ready for HIPPO??? Welcome to HIPAA

Are you ready for HIPPO??? Welcome to HIPAA

Similar presentations

Ads by Google