hipaa privacy & security overview
DESCRIPTION
HIPAA Privacy & Security Overview. Know HIPAA Presents. Agenda. HIPAA Overview Privacy Practices Security definitions Security standards Security safeguards Security incidents Sanctions Breach notification Enforcement update. Overview of HIPAA. HIPAA. Title I — Health. Title II —. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: HIPAA Privacy & Security Overview](https://reader036.vdocuments.net/reader036/viewer/2022062408/56813b24550346895da3df55/html5/thumbnails/1.jpg)
1
HIPAA Privacy & Security Overview
Know HIPAA Presents
![Page 2: HIPAA Privacy & Security Overview](https://reader036.vdocuments.net/reader036/viewer/2022062408/56813b24550346895da3df55/html5/thumbnails/2.jpg)
Agenda
2
• HIPAA Overview• Privacy Practices• Security definitions• Security standards• Security safeguards• Security incidents• Sanctions• Breach notification• Enforcement update
![Page 3: HIPAA Privacy & Security Overview](https://reader036.vdocuments.net/reader036/viewer/2022062408/56813b24550346895da3df55/html5/thumbnails/3.jpg)
3
Overview of HIPAA
We Focus on This
Portion of HIPAA only.
HIPAA
Title I — Health
Care Access,
Portability and
Renewability
Title II —
Preventing
Health Care
Fraud and Abuse
Title III — Tax-
Related Health
Provisions
Title IV — Group
Health Plan
Requirements
Title V —
Revenue Offsets
Subtitle F — Administrative Simplification
PrivacyElectronic
Transactions
Unique
Identifiers
Information
Security
Employer IdentifierCode Sets
![Page 4: HIPAA Privacy & Security Overview](https://reader036.vdocuments.net/reader036/viewer/2022062408/56813b24550346895da3df55/html5/thumbnails/4.jpg)
• Covered Entities - Must Comply #1 – Health care providers
#2 - Group health plans (fully or self-insured employer sponsored plans & health insurance issuers)
#3 - Clearinghouses
• Business Associate - Should Comply#4 – Firms working with covered entities.
Examples include Billing Services, Transcription Services, TPA’s, brokers
Who Does HIPAA Impact?
4
![Page 5: HIPAA Privacy & Security Overview](https://reader036.vdocuments.net/reader036/viewer/2022062408/56813b24550346895da3df55/html5/thumbnails/5.jpg)
• Protected Health Information (PHI) is information relating to past present or future physical or mental health of an individual (employee) whether they are active or terminated.
• Individually Identifiable PHI is that which identifies an individual. This could include: name, address, date of birth, Social Security number, telephone numbers, e-mail address, account numbers, Group Health Plan beneficiary number, or any other unique identifying number, characteristic or code.
Protected Health Information (PHI)Individually Identifiable Health Information
5
![Page 6: HIPAA Privacy & Security Overview](https://reader036.vdocuments.net/reader036/viewer/2022062408/56813b24550346895da3df55/html5/thumbnails/6.jpg)
• Applies to paper/oral/electronic records• Sets boundaries on the Use and
Disclosure of health information• Gives “individuals” more control over their
own health information• Establishes safeguards for protecting the
privacy of health information.• Holds covered entities accountable for
violations of privacy requirements.
Privacy Rule
6
![Page 7: HIPAA Privacy & Security Overview](https://reader036.vdocuments.net/reader036/viewer/2022062408/56813b24550346895da3df55/html5/thumbnails/7.jpg)
Some requirements that a covered entity must comply with include, but is not limited to the following:• Designating a Privacy Official.• Designating a Contact for handling Complaints.• Developing policies and procedures on the use and
disclosure of individually identifiable health information.• Providing training to all workforce members on the
policies and procedures that affect their job duties.• Providing a Notice of Privacy Practices to individuals
Privacy Regulation
7
![Page 8: HIPAA Privacy & Security Overview](https://reader036.vdocuments.net/reader036/viewer/2022062408/56813b24550346895da3df55/html5/thumbnails/8.jpg)
• They share this information with other healthcare providers. They are permitted to use and/or disclose information for treatment, payment or health care operations without getting permission from an individual.
• To use information for any other reason or to disclose it to any one other than the patient or Covered Entity may require a signed and verified authorization.
How Does Covered Entity Use Protected Health Information?
8
![Page 9: HIPAA Privacy & Security Overview](https://reader036.vdocuments.net/reader036/viewer/2022062408/56813b24550346895da3df55/html5/thumbnails/9.jpg)
• What is an authorization• When is it used
Authorizations
9
![Page 10: HIPAA Privacy & Security Overview](https://reader036.vdocuments.net/reader036/viewer/2022062408/56813b24550346895da3df55/html5/thumbnails/10.jpg)
• Individual has the right to access their protected health information, receive an accounting, amendment their protected health information, file a complaint, request confidential communications or restrict access to their protected health information.
Other Aspects of HIPAA Administration
10
![Page 11: HIPAA Privacy & Security Overview](https://reader036.vdocuments.net/reader036/viewer/2022062408/56813b24550346895da3df55/html5/thumbnails/11.jpg)
• All Covered Entity employees that have access to protected health information agree that at no time, during or after their employment with Covered Entity, will they use, access or disclose protected health information to anyone except as required or permitted in the course and scope of their duties.
• Unauthorized use/disclosure may result in disciplinary action up to and including termination.
• Civil or criminal penalties may also apply.
Confidentiality
11
![Page 12: HIPAA Privacy & Security Overview](https://reader036.vdocuments.net/reader036/viewer/2022062408/56813b24550346895da3df55/html5/thumbnails/12.jpg)
Covered entities must implement appropriate safeguards to protect an individual’s protected health information. – Remember to do the following:
• Records that contain protected health information should be maintained in a secure location or locked away.
• Records that contain protected health information should be shredded before discarding the information.
• Passwords should not be shared with anyone. Electronic protected health information needs to be safeguarded as well.
Safeguards
12
![Page 13: HIPAA Privacy & Security Overview](https://reader036.vdocuments.net/reader036/viewer/2022062408/56813b24550346895da3df55/html5/thumbnails/13.jpg)
HIPAA Security
13
• May 21, Purdue University• May 21, Jackson Community
College (Michigan)• May 19, Westborough Bank
(Florida)• May, Business Week On-line
forum• May 14, MTSU • May 5, Wharton school (MSU)• May 2, Time Warner• April 28, Bank of America,
Commerce Bankorp, PNC Bank• April 21, Carnegie Mellon
University• April 20, AmeriTrade• April 8, San Jose Medical
Group• March 28, University of
California, Berkley
• March 20, Kellogg MBA program
• March 17, Boston College• March 17, Chico State
University• March 16, Kaiser
Permanente• March 8, DSW• March, LexisNexis (Seisint)• February 15, Bell v.
Michigan Council 25 • February, Bank of America• February, Choice Point• February, PayMaxx• November, Wells Fargo• November, Gibson
Sentencing US District Court
• November, Minneapolis School District
![Page 14: HIPAA Privacy & Security Overview](https://reader036.vdocuments.net/reader036/viewer/2022062408/56813b24550346895da3df55/html5/thumbnails/14.jpg)
Individually identifiable health information:– Transmitted by electronic media– Maintained in electronic media– Transmitted or maintained in any other
form or medium
What is Electronic PHI?
14
![Page 15: HIPAA Privacy & Security Overview](https://reader036.vdocuments.net/reader036/viewer/2022062408/56813b24550346895da3df55/html5/thumbnails/15.jpg)
• Only those that need access• Physical access• Technical access
• The covered entity is responsible for the confidentiality, integrity and availability of EPHI
• The covered entities safeguards are the first line of defense
Security Standards
15
![Page 16: HIPAA Privacy & Security Overview](https://reader036.vdocuments.net/reader036/viewer/2022062408/56813b24550346895da3df55/html5/thumbnails/16.jpg)
• Must have Policies & Procedures• Security measures are appropriate
and reasonable• Considerations:
• Size• Complexity• Mission• Purposes of the EPHI created, maintained and
transmitted
Security Standards - General rules
16
![Page 17: HIPAA Privacy & Security Overview](https://reader036.vdocuments.net/reader036/viewer/2022062408/56813b24550346895da3df55/html5/thumbnails/17.jpg)
• Risk Analysis• Risk Management• Sanction Policy• Information System Activity Review
Security Management Process
17
![Page 18: HIPAA Privacy & Security Overview](https://reader036.vdocuments.net/reader036/viewer/2022062408/56813b24550346895da3df55/html5/thumbnails/18.jpg)
• Workforce security• Information access• Facility Security plan• Workstation use• Device & Media controls• Access controls (technical)• Administrative requirements
Safeguards
18
![Page 19: HIPAA Privacy & Security Overview](https://reader036.vdocuments.net/reader036/viewer/2022062408/56813b24550346895da3df55/html5/thumbnails/19.jpg)
• Training• Security reminders• Protection against malicious
software• Password management
Security Awareness
19
![Page 20: HIPAA Privacy & Security Overview](https://reader036.vdocuments.net/reader036/viewer/2022062408/56813b24550346895da3df55/html5/thumbnails/20.jpg)
• Data backups• Disaster recovery• Emergency operation plan• May have
– Critical applications and data– Testing and revisions
Contingency Plans(Availability)
20
![Page 21: HIPAA Privacy & Security Overview](https://reader036.vdocuments.net/reader036/viewer/2022062408/56813b24550346895da3df55/html5/thumbnails/21.jpg)
• Who • When• New employees or contractors• Due to changes
Workforce Security Training
21
![Page 22: HIPAA Privacy & Security Overview](https://reader036.vdocuments.net/reader036/viewer/2022062408/56813b24550346895da3df55/html5/thumbnails/22.jpg)
• Security Incidents• Sanctions• Breach Notification
Events requiring action
22
![Page 23: HIPAA Privacy & Security Overview](https://reader036.vdocuments.net/reader036/viewer/2022062408/56813b24550346895da3df55/html5/thumbnails/23.jpg)
• What are they?• What should you do?
– Actions depend on the incident– Who was responsible, third party?– Are Sanctions required?
Security Incidents
23
![Page 24: HIPAA Privacy & Security Overview](https://reader036.vdocuments.net/reader036/viewer/2022062408/56813b24550346895da3df55/html5/thumbnails/24.jpg)
• Workforce members who violate health plans Privacy or Security Policies may be subject to disciplinary actions, up to and including termination.
• The amount and type of corrective action used in any particular situation will depend on the facts and circumstances. The company maintains the discretion to determine whether corrective action is appropriate.
Sanctions/Violations
24
![Page 25: HIPAA Privacy & Security Overview](https://reader036.vdocuments.net/reader036/viewer/2022062408/56813b24550346895da3df55/html5/thumbnails/25.jpg)
• Notification to individuals• Notification to the media• Notification to the Secretary• Notification by a business associate• Law enforcement delay• Burden of proof
Specifics
25
![Page 26: HIPAA Privacy & Security Overview](https://reader036.vdocuments.net/reader036/viewer/2022062408/56813b24550346895da3df55/html5/thumbnails/26.jpg)
• Annual guidance regards technology• Random audits• Reports to congress• Increased fines• 2013 changes
Guidance & Enforcement
26
![Page 27: HIPAA Privacy & Security Overview](https://reader036.vdocuments.net/reader036/viewer/2022062408/56813b24550346895da3df55/html5/thumbnails/27.jpg)
Problem General Penalty
Civil Violation $100/offense; up to 1.5mil/ year
Wrongful Action $50,000/offense; 1 year in prison
False Pretense $100,000/offense; 5 years in prison
Intent to Sell $250,000/offense; 10 years in prison
Why Comply?
27
The price for non-compliance:
![Page 28: HIPAA Privacy & Security Overview](https://reader036.vdocuments.net/reader036/viewer/2022062408/56813b24550346895da3df55/html5/thumbnails/28.jpg)
Questions
28
?