hipaa hitech and
play

HIPAA, HITECH and Business Associates Heather Fields, J.D. - PowerPoint PPT Presentation

Dec 19, 2023 •229 likes •522 views

HIPAA COW Webinar: HIPAA, HITECH and Business Associates Heather Fields, J.D. Reinhart Boerner Van Deuren s.c. HIPAA COW Webinar November 11, 2010 Presentation Overview TOP 3 HIPAA Compliance Risks Unauthorized Use and Disclosure of

  1. HIPAA COW Webinar: HIPAA, HITECH and Business Associates Heather Fields, J.D. Reinhart Boerner Van Deuren s.c. HIPAA COW Webinar November 11, 2010

  2. Presentation Overview • TOP 3 HIPAA Compliance Risks » Unauthorized Use and Disclosure of PHI » Minimum Necessary » Bad BA Agreements • Risk Mitigation Strategies for Each HIPAA COW Webinar 1 November 11, 2010

  3. HIPAA Compliance Risks and Mitigation Strategies HIPAA COW Webinar 2 November 11, 2010

  4. #1 HIPAA Risk for BAs • BA (or its Subcontractor) Uses or Discloses PHI in a manner that violates: » Privacy Rule » BA Agreement HIPAA COW Webinar 3 November 11, 2010

  5. Why Is this #1 Risk? • Accidents happen! » Subject data faxed to wrong fax number » Laptops stolen/lost » Misdirected mail » Snooping » PHI used without permission • And....now you can be fined for it! HIPAA COW Webinar 4 November 11, 2010

  6. #1 Risk Mitigation Strategy • Avoid PHI » Determine options for de-identifying PHI once received » Analyze ―minimum necessary‖ requirements for BA particular services HIPAA COW Webinar 5 November 11, 2010

  7. #1 Risk Mitigation Strategy • Implement HIPAA compliance plan » Develop written policies and procedures » Train workforce and subcontractors » Monitor compliance and enforce policies • Avoid PHI » Determine options for de-identifying PHI once received » Analyze ―minimum necessary‖ requirements for BA particular services HIPAA COW Webinar 6 November 11, 2010

  8. Implementing HIPAA Compliance Plan: Where to Start • Perform Risk Assessment » Written assessment required for Security Rule compliance » Include minimum necessary gap analysis » In addition to written security rule policies and procedures, develop policies and procedures on use and disclosure of PHI — not required — but helpful to operationalize compliance » Train workforce and subcontractors » Monitor compliance and enforce policies HIPAA COW Webinar 7 November 11, 2010

  9. Implementing HIPAA Compliance Plan: Key Security Policies and Procedures • MUST HAVE SECURITY POLICIES AND PROCEDURES • Work with IT — make them read the rule • Consider other internal resources before hiring consultants • Recognize that CE’s not always savvy or compliant when it comes to HIPAA Security Rule compliance HIPAA COW Webinar 8 November 11, 2010

  10. Implementing HIPAA Compliance Plan: Key Privacy Policies and Procedures • Need policy and procedure for reporting unauthorized use or disclosure or security incident » Even prior to HITECH, notification to CE required » Recognize using or disclosing more than minimum necessary is an unauthorized use or disclosure • Understand and recognize infrastructure limitations — BE REALISTIC! • Train workforce and subcontractors • Monitor compliance and enforce policies HIPAA COW Webinar 9 November 11, 2010

  11. Implementing HIPAA Compliance Plan: Key Privacy Policies and Procedures (cont.) • Consider other policies and procedures: » Minimum necessary » Update employee handbook, code of conduct or other policies to identify HIPAA Compliance as requirement » Vendor contracting – need to include BA provisions » Process for handling PHI after engagement concluded (e.g., destroy or keep PHI?) HIPAA COW Webinar 10 November 11, 2010

  12. #2 Risk for BAs: Minimum Necessary • Their problem is also your problem » Clients frequently violate this rule when dealing with BAs • Deemed compliance when use a ―limited data set‖ • Good news: creates certainty for use of LDS • Bad news: makes LDS a standard for minimum necessary » Most BA Agreements do not contain limited data set provisions HIPAA COW Webinar 11 November 11, 2010

  13. #2 Risk Mitigation Strategy: Mind the Gap! • KEY: understand your clients and plan accordingly » Consider developing standard operating procedures around acceptance of PHI from CE’s based on gap analysis » Consider standard language for engagement letters and client service agreements » Remember to incorporate limited data set agreement provisions into BA Agreement » Develop infrastructure to de-identify PHI, if possible HIPAA COW Webinar 12 November 11, 2010

  14. #3 Risk for BAs: BA Agreements • Typical Issues » BA Agreement doesn’t describe permitted uses and disclosures with specificity » BA Agreement imposes duties on BA that exceed BA’s legal obligation » BA agrees to provisions that BA cannot operationalize » BA Agreement does not contain language regarding de-identification or limited data set agreement language HIPAA COW Webinar 13 November 11, 2010

  15. #3 Risk Mitigation Strategy: Understand and Negotiate BA Agreement • Key Provisions to Negotiate » Written privacy policies and procedures » Minimum necessary » Breach Notification » Subcontractor Obligations » Patient Rights HIPAA COW Webinar 14 November 11, 2010

  16. Understand and Negotiate BA Agreement: W ritten Privacy P&Ps • Necessary from practical standpoint, but not technically required • Don’t create liability for yourself – read your agreement • At minimum: need document for ―public consumption‖ describing your privacy practices and process for reporting unauthorized use or disclosures HIPAA COW Webinar 15 November 11, 2010

  17. Understand and Negotiate BA Agreement: Minimum Necessary • Include language obligating clients not to provide more PHI than minimum necessary • Include language in engagement letters and service agreements • Make minimum necessary discussion standard part of engagement • Determine how you will manage internally HIPAA COW Webinar 16 November 11, 2010

  18. Understand and Negotiate BA Agreement: Breach Notification • BAs NOT required to notify OCR or patients/enrollees • BAs MUST notify CE of unauthorized use or disclosure or security incident – no discretion • Are BAs required to conduct the risk assessment analysis to conclude whether an unauthorized use or disclosure is a ―Breach‖? » Determine your approach HIPAA COW Webinar 17 November 11, 2010

  19. Understand and Negotiate BA Agreement: Understand Breach Notification • Remember -- All unauthorized uses or disclosures of PHI require notification of CE, BUT not all unauthorized uses or disclosures are breaches • Three key concepts: » An unauthorized use or disclosure of PHI must occur The PHI must be ―unsecured‖ » » The unauthorized use or disclosure of PHI must ―compromise‖ the privacy or security of the PHI • Fact-based analysis HIPAA COW Webinar 18 November 11, 2010

  20. Breach • ―Breach‖ defined: The unauthorized acquisition, access, use or disclosure of unsecured PHI, which compromises the security or privacy of such information • 3 Exceptions: » Unintentional access in good faith by covered entity or business associate » Inadvertent disclosure within covered entity » Unauthorized recipient reasonable could not retain information HIPAA COW Webinar 19 November 11, 2010

  21. When is PHI Unsecured? • PHI is considered unsecured if it is not secured through the use of a technology or methodology approved by DHHS » In April 2009, DHHS released a safe harbor rule that encryption and destruction are the two ways to secure PHI » DHHS also elaborated, stating that access controls and firewalls do not make electronic data secure, and redaction of paper documents does not make them secure • NOTE: DHHS April 2009 guidance added a safe harbor for a Limited Data Set that excludes date of birth and zip code HIPAA COW Webinar 20 November 11, 2010

  22. When is the Privacy and Security of PHI Compromised? • Security or privacy of PHI is only "compromised" if the breach poses a significant risk of financial, reputation, or other harm to the individual » NOTE: Fact-based risk assessment required to determine whether PHI compromised » Requires assessment of how significant the threat is, based on what PHI was accessed and to whom it was disclosed » Must document its risk assessment in order to be able to demonstrate why no breach occurred HIPAA COW Webinar 21 November 11, 2010

  23. Notification Requirement • The notice must contain information including: » what happened » the types of unsecured PHI that were involved » steps the individual should take to protect themselves from potential harm » what the covered entity is doing to investigate the breach, to mitigate losses and to protect against further breaches » contact procedures for further information HIPAA COW Webinar 22 November 11, 2010

  24. Understand and Negotiate BA Agreement: Subcontractor Obligations • BAs now liable for noncompliance of their subcontractors • Vendor due diligence---know who you are dealing with • Create standard vendor agreements • Consider maintaining centralized tracking of vendor relationships and PHI disclosed in case of unauthorized use or disclosure HIPAA COW Webinar 23 November 11, 2010

  25. Understand and Negotiate BA Agreement: Patient Rights • Access and Amendment Rights limited to PHI in the ―Designated Record Set‖ » Medical and billing records and any records used to make decisions about individuals • If BA does not maintain the Designated Record Set, BA is not required to grant access or amend HIPAA COW Webinar 24 November 11, 2010

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

HIPAA Audits and the New Audit Protocol Developing and Ensuring HIPAA and HITECH Privacy and

HIPAA Audits and the New Audit Protocol Developing and Ensuring HIPAA and HITECH Privacy and

Presenting a live 90-minute webinar with interactive Q&A HIPAA Audits and the New Audit Protocol Developing and Ensuring HIPAA and HITECH Privacy and Security Compliance TUESDAY, FEBRUARY 5, 2013 1pm Eastern | 12pm Central | 11am

793 views • 53 slides
HIPAA, HITECH and Business Associates November 11, 2010 12:00-1:30pm (CST) Sarah Radermacher, JD

HIPAA, HITECH and Business Associates November 11, 2010 12:00-1:30pm (CST) Sarah Radermacher, JD

Office of the Secretary Office for Civil Rights (OCR) HIPAA COW Webinar: HIPAA, HITECH and Business Associates November 11, 2010 12:00-1:30pm (CST) Sarah Radermacher, JD Office for Civil Rights U.S. Department of Heath and Human Services

374 views • 19 slides
HIPAA/HITECH Omnibus Final Rule Secretarys Advisory Committee on Human Research Protections

HIPAA/HITECH Omnibus Final Rule Secretarys Advisory Committee on Human Research Protections

Office of the Secretary Office for Civil Rights (OCR) HIPAA/HITECH Omnibus Final Rule Secretarys Advisory Committee on Human Research Protections March 2013 Christina Heide, JD Senior Health Information Privacy Policy Specialist HHS

342 views • 15 slides
Client Alert The Offjce of Civil Rights Publishes Proposed HIPAA and HITECH Rules Contact

Client Alert The Offjce of Civil Rights Publishes Proposed HIPAA and HITECH Rules Contact

Client Alert The Offjce of Civil Rights Publishes Proposed HIPAA and HITECH Rules Contact Attorneys Regarding This Matter: On July 14, 2010, the Offjce of Civil Rights (OCR) published a proposed rule Richard E. Gardner III to modify the

209 views • 5 slides
Training Course HIPAA Health Insurance Portability and Accountability Act HIPAA

Training Course HIPAA Health Insurance Portability and Accountability Act HIPAA

Training Course HIPAA Health Insurance Portability and Accountability Act HIPAA initially went into effect April 14, 2003 HIPAA is a set of rules that is to be followed by doctors, hospitals and other health care providers.

284 views • 25 slides
Beyond HIPAA: Registries as an exemplar of health data Beyond HIPAA Privacy,

Beyond HIPAA: Registries as an exemplar of health data Beyond HIPAA Privacy,

Beyond HIPAA: Registries as an exemplar of health data Beyond HIPAA Privacy, Confidentiality & Security Subcommittee May 15, 2018 Beyond HIPAA Initiative Builds on NCVHSs past work and the work of other government and private

240 views • 10 slides
This Presentation Key elements of the new HITECH rules Take a deep breath they are

This Presentation Key elements of the new HITECH rules Take a deep breath they are

The New HIPAA Era: What's New, What's Different and What's Actually Important Presented by: Kirk J. Nahra Wiley Rein LLP Washington, D.C. 202.719.7335 KNahra@wileyrein.com @kirkjnahrawork March 13, 2013 This Presentation Key elements of

773 views • 36 slides
New Mandates for Group Health Plans: GINA, MHPA, HITECH MSP Reporting and More HITECH, MSP

New Mandates for Group Health Plans: GINA, MHPA, HITECH MSP Reporting and More HITECH, MSP

presents presents New Mandates for Group Health Plans: GINA, MHPA, HITECH MSP Reporting and More HITECH, MSP Reporting and More Navigating Plan Compliance Demands and Avoiding Federal Excise Tax A Live 90-Minute Teleconference/Webinar with

677 views • 48 slides
Half Year Results Presentation (ASX Code: HIT) 22 FEBRUARY 2018 HiTech overview HiTech Group

Half Year Results Presentation (ASX Code: HIT) 22 FEBRUARY 2018 HiTech overview HiTech Group

Half Year Results Presentation (ASX Code: HIT) 22 FEBRUARY 2018 HiTech overview HiTech Group Australia Limited is a specialist provider of recruitment and Cloud ICT consulting services Computing & IoT The term information and

253 views • 22 slides
HIPAA In The Workplace What Every Employer Should Know and Remember What is HIPAA? The

HIPAA In The Workplace What Every Employer Should Know and Remember What is HIPAA? The

HIPAA In The Workplace What Every Employer Should Know and Remember What is HIPAA? The Health Insurance Portability and Accountability Act of 1996 Portable Accountable Rules for Privacy Rules for Security

575 views • 33 slides
Telebehavioral Health Technology Compliance for HIPAA Alex Obert Sr. Application Specialist

Telebehavioral Health Technology Compliance for HIPAA Alex Obert Sr. Application Specialist

Telebehavioral Health Technology Compliance for HIPAA Alex Obert Sr. Application Specialist Carolinas Healthcare System Content HITECH Act Types of Telemedicine Providers Carolinas HealthCare System Use Technology Options

214 views • 8 slides
Electronic Health Record Technology Contracts After HITECH Contracts After HITECH Leveraging New

Electronic Health Record Technology Contracts After HITECH Contracts After HITECH Leveraging New

presents presents Electronic Health Record Technology Contracts After HITECH Contracts After HITECH Leveraging New "Meaningful Use" and EHR Technology Standards In Negotiating Provider-Vendor Agreements A Li A Live 90-Minute

1.11k views • 83 slides
AAPICO HITECH PLC [AH] Agenda 1. Company Profile 2. Industry Overview 3. Financial

AAPICO HITECH PLC [AH] Agenda 1. Company Profile 2. Industry Overview 3. Financial

AAPICO HITECH PLC [AH] Agenda 1. Company Profile 2. Industry Overview 3. Financial Performance 4. Strategy and Direction 2 Company Profile AAPICO HITECH PLC [AH] AAPICO HITECH PUBLIC COMPANY LIMITED Established in 1996 and listed on

562 views • 34 slides
Outline to HIPAA presentation I) Overview of the HIPAA Privacy Rule regulations that relate to

Outline to HIPAA presentation I) Overview of the HIPAA Privacy Rule regulations that relate to

Outline to HIPAA presentation I) Overview of the HIPAA Privacy Rule regulations that relate to obtaining a persons medical records for court proceedings and law enforcement purposes. A) Entities covered by HIPAA The medical records of a patient

405 views • 6 slides
AAPICO HITECH PLC [AH] Agenda 1. Company Profile 2. Industry Overview 3. Financial

AAPICO HITECH PLC [AH] Agenda 1. Company Profile 2. Industry Overview 3. Financial

AAPICO HITECH PLC [AH] Agenda 1. Company Profile 2. Industry Overview 3. Financial Performance 4. Strategy and Direction 2 Company Profile AAPICO HITECH PLC [AH] AAPICO PICO HITECH ECH PUBLIC IC COMPANY ANY LIMITED MITED

531 views • 36 slides
Research & HIPAA October, 2016 Overview HIPAA & Research Increased Enforcement

Research & HIPAA October, 2016 Overview HIPAA & Research Increased Enforcement

Research & HIPAA October, 2016 Overview HIPAA & Research Increased Enforcement HIPAA Security 2 HIPAA & Research HIPAA & Research 4 HIPAA & Research PHI Disclosure for PHI Use for Research Research

752 views • 59 slides
WACM BA Customer meeting October 29, 2019 | Loveland, CO Adm dmin inis istrativ ive Logis

WACM BA Customer meeting October 29, 2019 | Loveland, CO Adm dmin inis istrativ ive Logis

WACM BA Customer meeting October 29, 2019 | Loveland, CO Adm dmin inis istrativ ive Logis istic ics Thank you all for joining us today! Schedule Start Time 1300/End Time 1600 (1700 if needed) Break Around 1430 (10 Minutes) Logistics

1k views • 51 slides
Households from Space Integrating Household Surveys with Geospatial Data Sources for Improved

Households from Space Integrating Household Surveys with Geospatial Data Sources for Improved

Households from Space Integrating Household Surveys with Geospatial Data Sources for Improved Monitoring of Development Outcomes Talip Kilic Senior Economist Living Standards Measurement Study (LSMS) Development Data Group, The World Bank

581 views • 28 slides
Hello, I am Emily Morgan, Assistant Professor teaching Art History. The BA in Art & Design has

Hello, I am Emily Morgan, Assistant Professor teaching Art History. The BA in Art & Design has

Hello, I am Emily Morgan, Assistant Professor teaching Art History. The BA in Art & Design has two concentrations: Art & Culture and Visual Culture Studies. The BA is not enrollment-managed. Once you complete the Core, you simply declare

270 views • 13 slides
Highfield Level 3 End-Point Assessment for Business Administrator EPA-kit Assessing the Project

Highfield Level 3 End-Point Assessment for Business Administrator EPA-kit Assessing the Project

Highfield Level 3 End-Point Assessment for Business Administrator EPA-kit Assessing the Project Presentation The project presentation - guidance The project presentation - mock assessment Project presentation criteria BA 1.6 1

536 views • 7 slides
Install/Update to Pentaho 8.0 From Hitachi Vantara Steven Brown Pentaho Manager, Enterprise

Install/Update to Pentaho 8.0 From Hitachi Vantara Steven Brown Pentaho Manager, Enterprise

Install/Update to Pentaho 8.0 From Hitachi Vantara Steven Brown Pentaho Manager, Enterprise Architecture Group January-2018 Install/Update to Pentaho 8.0 Evaluation Installation Configuration Administration Upgrade Evaluation The Pentaho

348 views • 32 slides
2017 Fall NCMUG Meeting Wednesday, November 8, 2017 1:00 p.m. 5:00 p.m. Room 2600, ITRE/NCSU

2017 Fall NCMUG Meeting Wednesday, November 8, 2017 1:00 p.m. 5:00 p.m. Room 2600, ITRE/NCSU

The NCMUGs vision is to provide a forum for sharing knowledge and experiences of using state -of-practice transportation modeling tools, techniques and innovations appropriate to answer transportation planning and policy questions for the State

261 views • 3 slides
Career Pathway for a Medical Doctor Residency Doctoral Degree (MD/DO) Undergraduate Degree

Career Pathway for a Medical Doctor Residency Doctoral Degree (MD/DO) Undergraduate Degree

Career Pathway for a Medical Doctor Residency Doctoral Degree (MD/DO) Undergraduate Degree (BA/BS) Medical School Options Medical School Traditional Route UNM Combined Apply anytime BA/MD Program after earning four-

522 views • 20 slides
Welcome to 4th Grade Mrs. Szczureks Class Room 207 a r Y e o l h o S c 0 0 2 -

Welcome to 4th Grade Mrs. Szczureks Class Room 207 a r Y e o l h o S c 0 0 2 -

Welcome to 4th Grade Mrs. Szczureks Class Room 207 a r Y e o l h o S c 0 0 2 - 2 1 9 2 0 About Mrs.Szczurek Years teaching: 15 years, ranging from early childhood to middle school grades Years teaching at Forest

220 views • 21 slides

More recommend