MITIGATING BREACH RISK IN AN ERA OF EXPANDING PHI DISCLOSURE POINTS AND REQUESTS FOR HEALTH INFORMATION
|
|
- Marvin Cole
- 5 years ago
- Views:
Transcription
1 MITIGATING BREACH RISK IN AN ERA OF EXPANDING PHI DISCLOSURE POINTS AND REQUESTS FOR HEALTH INFORMATION Authors: Mariela Twiggs, MS, RHIA, CHP, FAHIMA National Director, Training and Compliance for MRO Sara Goldstein, Esquire Privacy and Compliance Counsel for MRO
2 MITIGATING BREACH RISK IN AN ERA OF EXPANDING PHI DISCLOSURE POINTS AND REQUESTS FOR HEALTH INFORMATION News media attention surrounding a breach of Protected Health Information (PHI) usually involves a cyberattack where a hacker infiltrates a healthcare organization s network and steals data, or a physician has their laptop stolen. While cyberattacks and device theft are major security issues, a PHI breach is much more likely to occur during one or more of the tens of thousands of Release of Information (ROI) requests a healthcare organization receives each year. With more than 100 error types found across ROI authorizations, each request has the potential to result in a PHI breach. Although these breaches do not grab headlines as often as a cyberattack, they are damaging to healthcare organizations. Each breach can cost $8,000 to $300,000, not including HIPAA violation civil penalties, according to the results of an American National Standards Institute (ANSI) survey of organizations that had been affected by a PHI breach. 1 These costs included credit or identity theft monitoring for breach victims, forensic and legal fees, and reputational harm, including loss of goodwill and of business, according to survey respondents. 2 In addition, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR s) larger HIPAA violation civil penalties became effective in 2013, rising to as much as $50,000 per breach with a maximum of $1.5 million annually for repeated occurrences PHI breaches that occur during the ROI process will likely rise as PHI disclosure points and requests for health information increase across organizations due to several factors. One is the increase of healthcare merger and acquisition activity. These consolidating healthcare organizations may face differing electronic medical record (EMR) systems and PHI disclosure policies and procedures, depending on the facility. The lack of standardized processes and expanding disclosure points make PHI disclosure challenging to govern and track, making a breach more likely. Another factor driving the increase in PHI breach risk is a growing volume of ROI requests due to the changing healthcare market. With payment shifting to value and outcomes, care coordination is essential, which requires more health information exchange with providers across the care continuum. Emphasis on value and quality of care also includes more audits from government and commercial payers requesting PHI to ensure care gaps are addressed and payments were accurate. Patients, who are increasingly more engaged in their care for a variety of reasons including the expansion of personal health and fitness monitoring technologies, are requesting health information more often to share with specialists and other providers to manage their health. Patient access criteria within the Centers for Medicare and Medicaid Services (CMS s) Meaningful Use incentive program add a level of complexity by requiring strict turnaround times for patient requests. This more frequent and faster PHI exchange poses increased risks for provider organizations, regardless of their involvement in emerging healthcare delivery or payment models. The OCR plans to issue new guidance on patient access in the fall of Standardizing disclosure policies and procedures across their enterprise can help organizations comply with these regulations and manage the increased ROI request volume. Transitioning to a standardized process may include partnering with a technology-driven disclosure management partner with highly trained and knowledgeable staff that can bring consistency to the organization and further mitigate risk with additional safeguards against breach. Partnering with a knowledgeable technology and services partner can relieve the PHI disclosure management burden from organizations, ensure compliance with federal and state regulations, all the while delivering complete transparency and control to departmental managers. Mariela Twiggs, MS, RHIA, CHP, FAHIMA, National Director, Training and Compliance for MRO Sara Goldstein, Esquire Privacy and Compliance Counsel for MRO Copyright 2015 MRO Corporation Page 2
3 Improper disclosure of PHI common cause of breach Criminal attacks and lost or stolen devices were the root cause of most PHI data breaches last year, but almost as many, 40 percent, were due to unintentional employee action, according to 2015 survey results from the Ponemon Institute. 5 These unintentional employee actions, namely employee negligence, are also the top security concern among healthcare organization leaders, above cyberattacks, according to the survey. Unintentional employee actions include more than using the wrong fax number or mailing address when disclosing PHI. With traditional ROI workflows, 20 to 30 percent of all submitted authorizations are initially found to be invalid. 6 Many invalid authorizations are caught and corrected at the facility during the initial evaluation and tracking phase. However, with a wide variety of errors found across authorizations, the importance of a secondary review is critical to accuracy and avoiding improper disclosure. PHI breaches are not isolated incidents. Ninety-one percent of healthcare organizations surveyed by Ponemon reported a PHI breach in the last year, while 40 percent reported more than five. Also of concern is that 69 percent of organizations did not discover the breach until an audit, so the improper disclosure may have occurred weeks or months earlier. With standardized, enterprise-wide PHI disclosure policies, procedures and oversight, many of these errors could be detected through a quality assurance process at the proper stage, preventing any unauthorized disclosure. Breaches costly Although PHI breaches are common, federal regulators have become even more stringent when it comes to financial penalties for non-compliance. Since the HIPAA breach notification requirement took effect in 2009 as part of the Health Information Technology for Economic and Clinical Health (HITECH) Act, the OCR has assessed approximately $27.25 million in settlement agreement fines or civil money penalties as of September In addition, the HIPAA Final Omnibus Rule, which went into effect in 2013 and raised violation penalties to their current levels, included breach-reporting requirements that were changed to a policy of guilty until proven innocent. This means in cases of improper disclosure, a breach is always assumed unless the provider can demonstrate that there is a low probability that the PHI has been compromised. When news media learns of a breach, such as when it receives a HIPAA-mandated notification from the organization because the breach impacted 500 or more individuals, the reputational damage causes an incalculable financial impact. 7 For example, if the breach diminishes the hospital s brand in the community, it can contribute to the loss of current and/or new patients, as well as physicians or business partners who leave the organization due to reputational damage. 8 While cyberattacks or device thefts make for sensational headlines, breaches due to employee or organizational errors are also reported in the news. For example, one news outlet reported that a clerical error at St. Vincent Breast Center in Indianapolis in 2014 resulted in 63,325 patients receiving a mailing containing incorrect information, including the names, addresses and appointment times of other patients. 9 Even much smaller PHI breaches may end up in the news. In 2013, Oakland, Calif.-based WestCoast Children s Clinic notified patients of a PHI breach after it faxed just one patient s information to an incorrect fax number. 10 As the clinic explained to news outlets in a written statement and to patients in a letter, a number of PHI disclosure protocol steps were not followed, including checking the fax number and notifying the recipient that the fax was sent. A qualified PHI disclosure management partner has technology and knowledgeable, trained staff to minimize errors like those described above, regardless of the size of the institution or PHI disclosure. Apart from potential reputational damage, a troubling new trend for healthcare providers could also make PHI breaches more costly. As many as 10 states now consider HIPAA to be the relevant standard of care for state privacy violation claims brought by individuals. 11 This means even if providers are penalized by the OCR for a PHI breach, they could still be sued by the individuals for negligence. One of the most well known of these cases is Byrne v. Avery Center for Obstetrics and Gynecology in Connecticut, which in 2014 was ruled on by the state s Supreme Court in favor of the plaintiff. The practice was sued for negligent infliction of emotional distress and negligence for failing to use proper and reasonable care in protecting the plaintiff s medical records, which she had forbidden from being released. The practice released the plaintiff s medical records after receiving a subpoena, but did not notify the plaintiff or object to the subpoena, as required by HIPAA. The Connecticut Supreme Court ruled that HIPAA does not preempt the state s laws surrounding the plaintiff s negligence claims, but rather HIPAA represents the standard of care that the providers should have followed. The higher court remanded the case back to the trial court to rule on the negligence claims. Copyright 2015 MRO Corporation Page 3
4 Hospital departments other than Health Information Management (HIM), as well as ambulatory practices, such as in this case, may not be as knowledgeable about PHI disclosure regulations and inadvertently fulfill an unauthorized ROI request, resulting in a breach. A highly trained and knowledgeable PHI disclosure management partner would have informed the practice that a subpoena does not always require the records to be released and would have ensured that the compliant PHI disclosure process was followed. 12 Factors driving breach risks While it is clear that PHI disclosure breaches are common and costly, numerous factors are driving an increase in breach risks, especially with the consolidation of the healthcare industry through mergers and acquisitions and more information being shared electronically. Healthcare merger and acquisition activity increased 16.3 percent in 2014 compared to 2013, and is expected to continue at that pace in As large health systems acquire more hospitals and physician practices, PHI disclosure policies and procedures and technology may vary greatly between facilities. For example, some newly acquired facilities may have varied timelines for fulfilling ROI requests or use multiple disclosure management vendors. Standardizing and centralizing disclosure policies and procedures can establish consistency and compliance across the enterprise, thus increasing the accuracy of all disclosures both within hospital and ambulatory settings. Another factor driving breach risk disclosing PHI electronically, or ephi has emerged as more organizations recognize electronic disclosure s efficiencies over paper. EMRs allow more people to access PHI from within a healthcare enterprise, including those who are not specially trained in the ROI function. Due to this expanded access, some organizations may have as many as 40 disclosure points across their enterprise, 14 which increases the risk of serious breach when patient records are released outside of the HIM process where the same level of procedural scrutiny does not occur. Some healthcare organizations may be exchanging ephi through unsecured , which is not HIPAA compliant and could result in a breach. There are, however, compliant and secure methods for electronically exchanging PHI, including patient and requester portals, secure , Direct Secure Messaging, the Social Security Administration s MEGAHIT program for Disability Determination, and esmd for CMS audits. Many healthcare organizations may not be aware these resources are available through a knowledgeable, technology-driven PHI disclosure management partner. When used properly, these electronic PHI disclosure methods can decrease days in accounts receivable and improve ROI fee collections with more accurate and timely billing, while decreasing labor and costs through eliminated paper-based processes. As a result, electronic PHI disclosure processes can safeguard hospitals from financial risk associated with breach, while also enhancing revenue through improved efficiencies. Choosing the right partner for PHI disclosure management In this changing environment, many healthcare organizations have discovered the value of partnering with a technologydriven PHI disclosure management vendor. Partnering with a vendor for PHI disclosure management processes like ROI is seen as valuable because the traditional ROI process is resource intensive requiring answering requester calls, providing phone support and issue resolutions, retrieving records, invoicing, collections, producing copies, delivery of PHI and tracking requests. Due to limited resources and escalating ROI requests, increased errors and inefficiencies can occur throughout the process. Just the request logging and tracking process can often lend itself to typos and/or improper entry that may result in records being distributed to the wrong place, especially in the case where institutions receive a large volume of requests. A PHI disclosure management partner can alleviate most of these duties from HIM departments, while ensuring compliance with all PHI privacy and security regulations of HIPAA and HITECH, as well as unique state and facility regulations. Disclosure management partners, however, vary greatly in quality and capabilities. Healthcare organizations should seek a technology-driven partner who can help improve not only the compliance of PHI disclosure and exchange, but also the efficiency. Ideal partners are at the forefront of electronic exchange of PHI, such as offering online portals for requesters; Direct Secure Messaging; interfaces with the Social Security Administration for Disability Determination requests; and esmd for CMS. These advanced technology capabilities may also include optical character recognition (OCR) scanning so that every document prior to disclosure is electronically examined to prevent co-mingled records, which, while infrequent, poses a significant breach risk. For a 300-bed hospital, which will typically have approximately 33,000 ROI requests per year, 0.7 percent of those records are likely to be co-mingled, resulting in 231 potential breaches that could be avoided by partnering with a knowledgeable and technology-driven disclosure management vendor. Copyright 2015 MRO Corporation Page 4
5 In addition, ensuring a secure and compliant ROI process and avoiding PHI breaches begins with hiring, training and managing qualified staff. Organizations should seek out PHI disclosure management partners who invest in rigorous hiring and training processes and who have reputations for delivering high-quality client and requester service. KLAS, a firm that helps healthcare providers make informed technology decisions by reporting accurate, honest and impartial vendor performance data, is a credible resource for providers in evaluating ROI partners. Taking the chance out of risk Protecting your organization from a criminal attack is important, but organizations should consider how much more likely a PHI breach could occur just due to an error in its ROI procedures. Consider again a 300-bed hospital with 33,000 ROI requests per year. In that year, the hospital likely received 6,600 invalid requests, of which as many as 3,300 would be fulfilled despite the invalid authorizations. The OCR levies a fine 18 percent of the time a PHI breach complaint is lodged. If a complaint was raised just half of one percent of the time, an OCR average fine of $25,000 per breach would have exposed this hospital to potential settlement agreement fines of $74,250 just that year. If this hospital partnered with a technology-driven PHI disclosure management vendor as described above, the number of fulfilled invalid requests would have decreased to just one with a potential $30 fine. As in this example, potential PHI breaches can occur at organizations thousands of times per year without the proper disclosure policies and procedures, and technology. Rather than attempting to manage this growing volume of requests on their own, healthcare organizations should consider partnering with an experienced, proven and technology-driven PHI disclosure management vendor. This partner can help establish standardized procedures and technology, alleviating the ROI request and compliance burden across the enterprise and mitigating risk. The HIM department and other disclosing parties can then concentrate on their core competencies to help the healthcare organization deliver higher quality, cost-effective care. Copyright 2015 MRO Corporation Page 5
6 Footnotes 1 The American National Standards Institute (ANSI), The Financial Impact of Breached Protected Health Information. Report. March ANSI, et al. 3 American Medical Association. HIPAA Violations and Enforcement. Solutions for Managing Your Practice. Web page. hipaahealth-insurance-portability-accountability-act/hipaa-violations-enforcement.page? 4 National Institute of Standards and Technology and the U.S. Department of Health and Human Services, Office for Civil Rights. Safeguarding Health Information: Building Assurance through HIPAA Security. Annual Conference. September Washington, DC. 5 Ponemon Institute. Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data. Research Report. May MRO research based on client data 7 Diaz, Luis J. and Crapo, David N. The Cost Of A Data Breach: The Health Care Perspective. Metropolitan Corporate Counsel. November 18, ANSI, et al. 9 Auslen, Michael. St. Vincent Breast Center mails 63,000 letters to wrong patients. The Indianapolis Star. July 4, McCann, Erin. Fax mishap leads to HIPAA breach. Healthcare IT News. April 25, com/news/fax-mishap-leads-hipaa-breach 11 Thompson Hine LLP. De Facto Private Right of Action Under HIPAA: Is Ohio Next? Health Care Law Update The U.S. Department of Health and Human Services. Court Orders and Subpoenas. HHS.gov web site. Accessed August 18, Morse, Susan. Healthcare M&A activity to persist in 2015, report states. Healthcare Finance News. March 18, Roop, Elizabeth S. Disclosure Management More Complicated Than Ever. For The Record. April fortherecordmag.com/archives/0414p12.shtml Copyright 2015 MRO Corporation Page 6
Breach Risk in Release of Information. Don t Leave Risk to Chance Key trends impacting healthcare providers
Breach Risk in Release of Information Don t Leave Risk to Chance Key trends impacting healthcare providers INTRODUCTION Privacy and security within a healthcare enterprise are topics often on the minds
More informationWRAPPING YOUR HEAD AROUND HIPAA PRIVACY REQUIREMENTS
WRAPPING YOUR HEAD AROUND HIPAA PRIVACY REQUIREMENTS Jeffrey Staton Attorney at Law Legal Aid Society of Louisville 416 W. Muhammad Ali Blvd., Ste. 300 Louisville, KY 40202 Phone: 502.614.3146 Jstaton@laslou.org
More informationA self-assessment for GxP and HIPAA concerns
WHITE PAPER IS YOUR ORGANIZATION AT RISK? A self-assessment for GxP and HIPAA concerns MDDX RESEARCH & INFORMATICS 58 California St, Floor 6 San Francisco, California 9 T (8) -MDDX F (866) 8-696 info@mddx.com
More informationA general review of HIPAA standards and privacy practices 2016
A general review of HIPAA standards and privacy practices 2016 45 CFR, 164 Health Insurance Portability and Accountability Act Treatment, Payment and Healthcare Operations 42 CFR, Part 2, Confidentiality
More informationProtecting Health Information: Health Data Security Training
Protecting Health Information: Health Data Security Training How to secure patient information and manage your obligations under HIPAA, the HITECH Act and other federal and state data privacy and security
More informationAdvanced HIPAA Communications and University Relations
Advanced HIPAA Communications and University Relations accepts no liability of any use reliance placed on it, as it is warranty, express, or implied, or completeness of 1 the HIPAA Health Insurance Portability
More informationDO ASK BUT DON T TELL HIPAA PRIVACY RULE
DO ASK BUT DON T TELL HIPAA PRIVACY RULE HITECH/OMNIBUS FINAL RULE HIPAA enacted in 1996; compliance required April 14, 2003 for the Privacy Rule and April 21, 2005 for the Security Rule surrounding electronic
More informationMeaningful Use Achieving Core Objective #14 Montana HIMMS 2012 Spring Convention
Meaningful Use Achieving Core Objective #14 Montana HIMMS 2012 Spring Convention Presented by John Whalen CISSP, CISA, CRISC Contents Objectives Risk exercise Breaches Meaningful Use What is an assessment?
More informationPreparing for the upcoming 2016 HIPAA audits: Lessons and examples from past breaches and fines
Preparing for the upcoming 2016 HIPAA audits: Lessons and examples from past breaches and fines 1 Your Presenters Robert Grant Co-Founder and Chief Strategy Officer of Compliancy Group Over 15 years of
More informationTAKING CARE OF LIABILITY:
TAKING CARE OF LIABILITY: A Guide for Nurse Contractors, Independent Nurse Practitioners, and Travel Nursing Businesses TABLE OF CONTENTS An Introduction to Independent Nurses Liabilities...3 CHAPTER 1
More informationHealthcare Privacy Officer on Evaluating Breach Incidents A look at tools and processes for monitoring compliance and preserving your reputation
Healthcare Privacy Officer on Evaluating Breach Incidents A look at tools and processes for monitoring compliance and preserving your reputation June 20, 2012 ID Experts Webinar www.idexpertscorp.com Mahmood
More informationAUDIT DEPARTMENT UNIVERSITY MEDICAL CENTER HIPAA COMPLIANCE. For the period October 2008 through May JEREMIAH P. CARROLL II, CPA Audit Director
UNIVERSITY MEDICAL CENTER HIPAA COMPLIANCE For the period October 2008 through May 2009 JEREMIAH P. CARROLL II, CPA Audit Director Audit Department 500 S Grand Central Pkwy Ste 5006 PO Box 551120 Las Vegas
More informationCIO Legislative Brief
CIO Legislative Brief Comparison of Health IT Provisions in the Committee Print of the 21 st Century Cures Act (dated November 25, 2016), H.R. 6 (21 st Century Cures Act) and S. 2511 (Improving Health
More informationHCCA Institute Privacy Officer Round Table Discussion
HCCA Institute Privacy Officer Round Table Discussion Marti Arvin Deann Baker Why We re Here X A facilitated discussion of current issues that Privacy Professionals are dealing with in their day-to-day
More informationFOUR TIPS: THE INVISIBLE IMPACT OF CREDENTIALING
FOUR TIPS: THE INVISIBLE IMPACT OF CREDENTIALING The Invisible Impact of Credentialing Four Tips: The past 8 to 10 years have been transformative in the business of providing healthcare. The 2009 American
More informationConsumer View of Personal Information Risks
Navigating the ephi Minefield Meaningful Consent Meets the Restriction Requirements of the HIPAA Omnibus Rule Timothy Kelly, MS, MBA Standard Register Healthcare Consumer View of Personal Information Risks
More informationStatus Check On Health IT
Status Check On Health IT CTHIMA Annual Conference September 17, 2017 Slides Prepared by Jennifer L. Cox, J.D. Cox & Osowiecki, LLC Hartford, Connecticut 1 The Future Of Healthcare And Health IT Are Not
More informationInformation Privacy and Security
Information Privacy and Security 2015 Purpose of HIPAA HIPAA stands for the Health Insurance Portability and Accountability Act. Its purpose is to establish nationwide protection of patient confidentiality,
More informationFCSRMC 2017 HIPAA PRESENTATION
FCSRMC 2017 HIPAA PRESENTATION BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international
More informationCLINICIAN S GUIDE TO HIPAA PRIVACY
CLINICIAN S GUIDE TO HIPAA PRIVACY Introduction... 2 What is HIPAA?... 2 Health Information Privacy... 2 Protected Health Information... 3 Identifiers... 3 HIPAA s Impact on Clinical Practice, Treatment,
More informationTHE LIABILITY IMPACTS OF HEALTHCARE REFORM. March Sponsored by:
THE LIABILITY IMPACTS OF HEALTHCARE REFORM March 2014 THE LIABILITY IMPACTS OF HEALTHCARE REFORM An Advisen Special Report sponsored by OneBeacon Professional Insurance The Liability Impacts of Healthcare
More informationHIPAA Training
2011-2012 HIPAA Training New Hire Orientation and General Training 1 This training is to ensure all Health Management workforce members (associates, contracted individuals, volunteers and students) understand
More informationWHITE PAPER. Taking Meaningful Use to the Next Level: What You Need to Know about the MACRA Advancing Care Information Component
Taking Meaningful Use to the Next Level: What You Need to Know Table of Contents Introduction 1 1. ACI Versus Meaningful Use 2 EHR Certification 2 Reporting Periods 2 Reporting Methods 3 Group Reporting
More informationUpdated FY15 Dignity Health General Compliance Education for Staff Module 2
Updated FY15 Dignity Health General Compliance Education for Staff Module 2 This course will provide you with important information about the laws and regulations that affect the healthcare industry, our
More informationFEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA
FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA LEGAL CITATION California Civil Code Section 1798.82 California Health and Safety (H&S) Code Section 1280.15 42 U.S.C. Section 17932; 45 C.F.R.
More informationDoes HIPAA Satisfy Meaningful Use? Two regulations with one stone
Does HIPAA Satisfy Meaningful Use? Two regulations with one stone Tod Ferran, CISSP, QSA Hi There! Tod Ferran 25 years working with IT and physical security 3 years PCI and HIPAA security consulting, performing
More informationPERSONALLY IDENTIFIABLE INFORMATON (PII)
PERSONALLY IDENTIFIABLE INFORMATON (PII) 1 PII - REFERENCES DOD 5400.11-R, DoD Privacy Act Program, May 07 OSD Memo, Subj: Safeguarding Against and Responding to the Breach of Personally Identifiable Information,
More informationMCCP Online Orientation
1 Objectives At the conclusion of this presentation, students will be able to: Discuss application of HIPAA to student s role. Describe the federal requirements of the HIPAA/HITECH regulations that protect
More informationHeadline News: Anatomy of a VIP Records Breach
Watch the Replay Headline News: Anatomy of a VIP Records Breach Executive Series Webinar September 24, 2014 Today s Panel Kim Roberts, MS, RHIA, CHP Privacy Specialist Sparrow Health System kim.roberts@sparrow.org
More informationChapter 9 Legal Aspects of Health Information Management
Chapter 9 Legal Aspects of Health Information Management EXERCISE 9-1 Legal and Regulatory Terms 1. T 2. F 3. F 4. F 5. F EXERCISE 9-2 Maintaining the Patient Record in the Normal Course of Business 1.
More informationCompliance Program Updated August 2017
Compliance Program Updated August 2017 Table of Contents Section I. Purpose of the Compliance Program... 3 Section II. Elements of an Effective Compliance Program... 4 A. Written Policies and Procedures...
More informationPrivacy and Security Orientation for Visiting Observers. DUHS Compliance Office
Privacy and Security Orientation for Visiting Observers DUHS Compliance Office 919-668-2573 compliance@dm.duke.edu Introduction This orientation is to provide new Visiting Observers with the HIPAA Privacy
More informationHITECH Act. Overview and Estimated Timeline
HITECH Act Overview and Estimated Timeline Key Program, Distribution, Use and Recipients for the HITECH Act* Focused Funds ($2 billion) PROGRAM DISTRIBUTION AGENCY USE OF FUNDS RECIPIENTS HIE Planning
More informationPatient Privacy Requirements Beyond HIPAA
Patient Privacy Requirements Beyond HIPAA Jane Hyatt Thorpe, J.D. School of Public Health and Health Services George Washington University Carrie Bill, J.D. Feldesman Tucker Leifer Fidell LLP The George
More informationWhat to do When Faced With a Privacy Breach: Guidelines for the Health Sector. ANN CAVOUKIAN, Ph.D. COMMISSIONER
What to do When Faced With a Privacy Breach: Guidelines for the Health Sector ANN CAVOUKIAN, Ph.D. COMMISSIONER INFORMATION AND PRIVACY COMMISSIONER OF ONTARIO Table of Contents What is a privacy breach?...1
More informationElectronic Health Records and Meaningful Use
Electronic Health Records and Meaningful Use How to Receive Your CE Credits Read your selected course Completed the quiz at the end of the course with a 70% or greater. Complete the evaluation for your
More information2018 Employee HIPAA Orientation (EHO) Handbook
2018 Employee HIPAA Orientation (EHO) Handbook Using EHO The material in this booklet is designed to provide newly hired employees with an understanding of HIPAA s regulations and their impact on the employee
More informationIf you have any questions about this notice, please contact the SSHS Privacy Officer at:
Notice of Privacy Practices 0 Effective Date: April 14, 2003 Revision Date: July 15, 2016 South Shore Health System ( SSHS ) is an integrated health care delivery system. For a list of entities which comprise
More informationPRIVACY BREACH MANAGEMENT GUIDELINES. Ministry of Justice Access and Privacy Branch
Ministry of Justice Access and Privacy Branch December 2015 Table of Contents December 2015 What is a privacy breach? 3 Preventing privacy breaches 3 Responding to privacy breaches 4 Step 1 Contain the
More informationNotice of Privacy Practices for Protected Health Information (PHI)
Notice of Privacy Practices for Protected Health Information (PHI) Dermatology Associates of Colorado, PC THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN
More informationNotice of Privacy Practices
River Valley Chiropractic LLC Notice of Privacy Practices Effective 9/2014; Revised 9/2014 If you have any questions about this notice, please contact the River Valley Chiropractic Privacy Officer at 308-534-5840.
More informationOREGON HIPAA NOTICE FORM
MARCIA JOHNSTON WOOD, Ph.D. Clinical Psychologist 5441 SW Macadam, #104, Portland, OR 97239 Phone (503) 248-4511/ Fax (503) 248-6385 - Effective Sept.23, 2013 - (This copy for you to keep) OREGON HIPAA
More informationHealth Information Privacy Policies and Procedures
University of the Pacific Arthur A. Dugoni School of Dentistry Health Information Privacy Policies and s These Health Information Privacy Policies & s implement our obligations to protect the privacy of
More informationHIPAA THE PRIVACY RULE
HIPAA THE PRIVACY RULE Reviewed December 2012 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of antidepressant medications in their mail. 2 HISTORY Many
More informationThe Privacy & Security of Protected Health Information
The Privacy & Security of Protected Health Information By the end of this course, you should: Be familiar with the patient s rights to privacy under HIPAA Privacy Act Be able to identify Protected Health
More informationUnique Health Safety Identifier. Across The Continuum of Care
Unique Health Safety Identifier Across The Continuum of Care Andy Nieto, Health Solutions Executive @ALN669 Trend Longer Life Average life expectancy in OECD countries in 2012 was 80 YEARS, an increase
More informationHIPAA Privacy Training for Non-Clinical Workforce
Office of Compliance Programs HIPAA Privacy Training for Non-Clinical Workforce Revised: January 24, 2017 HIPAA Privacy Workforce Training The Health Insurance Portability & Accountability Act (HIPAA)
More informationMEANINGFUL USE & RISK ASSESSMENT
MEANINGFUL USE & RISK ASSESSMENT Montana HIMSS 2013 Spring Convention Presented by John Whalen CISSP, CISA, CRISC Contents 1. What are we protecting? 2. In what ways are protecting it? 3. What is Meaningful
More informationWilliamson County EMS (WCEMS) HIPAA Training for Third Out Riders
Williamson County EMS (WCEMS) HIPAA Training for Third Out Riders Training Statement: This training program is designed to educate you on WCEMS legal requirements to protect our patients rights and confidentiality,
More informationCHI Mercy Health. Definitions
CHI Mercy Health Definitions If you have any questions about this notice, please contact the CHI Mercy Health s Privacy Office at (701) 845-6540 or 570 Chautauqua Blvd, Valley City ND 58072. Notice of
More informationHIPAA Education Program
HIPAA Education Program 2017-2018 Assurance and Compliance Services HIPAA Training Requirement This HIPAA Training Program is intended for and will satisfy the training requirement for the: Mount Sinai
More informationHealth Information Exchange 101. Your Introduction to HIE and It s Relevance to Senior Living
Health Information Exchange 101 Your Introduction to HIE and It s Relevance to Senior Living Objectives for Today Provide an introduction to Health Information Exchange Define a Health Information Exchange
More informationPrivacy and Security Training for Connecting Ontario. PACE Cardiology April, 2017
Privacy and Security Training for Connecting Ontario PACE Cardiology April, 2017 Session Goals By the end of this session you will: Review key elements of privacy protection Know your privacy obligations
More informationAGENDA. 10:45 a.m. CT Attendees Sign On 11:00 a.m. CT Webinar 11:50 a.m. CT Questions and Answers
AGENDA 10:45 a.m. CT Attendees Sign On 11:00 a.m. CT Webinar 11:50 a.m. CT Questions and Answers Asking Questions Throughout the webinar, type your questions using the "send note" button at the top of
More informationIt defines basic terms and lists basic principles that all LSUHSC-NO faculty, staff, residents and students must understand and follow.
Office of Compliance Programs Revised: July 18, 2017 HIPAA Privacy HIPAA Privacy Workforce Training The Health Insurance Portability & Accountability Act (HIPAA) requires that the University train all
More informationPrivacy & Security: What You Need to Know
Privacy & Security: What You Need to Know DISCLAIMER: The views and opinions expressed in this presentation are those of the author and do not necessarily represent official policy or position of HIMSS.
More informationA Day in the Life of a Compliance Officer
A Day in the Life of a Compliance Officer (for small physician practices) Mina Sellami, MBA, PMP, JD MedProv, LLC Julia Konovalov Medical Business Partners September 29, 2016 Agenda Government Regulations
More informationCompliance with HIPAA Administrative Simplification
Compliance with HIPAA Administrative Simplification HIPAA Administrative Simplification Regulations Transaction & Code Sets Privacy Security National Provider, Employer & Health Plan Identifiers Claims
More informationYour Role in Protecting Patient Privacy 2018
Your Role in Protecting Patient Privacy 2018 1 Training Focus This training will focus on what responsibilities you have in order to ensure that both you and our organization are in compliance with state
More informationCompliance. TODAY February Promoting a culture of compliance in daily operations and business goals. an interview with Darrell Contreras
Compliance TODAY February 2017 A PUBLICATION OF THE HEALTH CARE COMPLIANCE ASSOCIATION WWW.HCCA-INFO.ORG Promoting a culture of compliance in daily operations and business goals an interview with Darrell
More informationNew Employee Orientation HIPAA Privacy. Marcia Matthias, MJ, RHIA, CHPC Corporate Director, Health Information/Privacy Officer
New Employee Orientation HIPAA Privacy Marcia Matthias, MJ, RHIA, CHPC Corporate Director, Health Information/Privacy Officer Definitions HIPAA Health Insurance Portability and Accountability Act PHI Protected
More informationDavid Behinfar, JD, LLM, CHC, CIPP University of Florida College of Medicine Jacksonville UF Privacy Manager (904)
David Behinfar, JD, LLM, CHC, CIPP University of Florida College of Medicine Jacksonville UF Privacy Manager (904) 244 6229 david.behinfar@jax.ufl.edu 1 Presentation Summary High level Summary of the federal
More informationHIPAA and HITECH: Privacy and Security of Protected Health Information
HIPAA and HITECH: Privacy and Security of Protected Health Information What is HIPAA? Health Insurance Portability and Accountability Act of 1996 A federal law enacted to: Protect the privacy of a patient
More informationPRIVACY BREACH GUIDELINES
PRIVACY BREACH GUIDELINES Purpose The may provide some guidance to government institutions, local authorities, and health information trustees (hereinafter Organizations) in Saskatchewan when a privacy
More informationPOTENTIAL LIABILITY: PATIENT HEALTH INFORMATION PORTALS
POTENTIAL LIABILITY: PATIENT HEALTH INFORMATION PORTALS Jeanne M. Born, RN, JD 22 JANUARY 2015 Jborn@nexsenpruet.com Medical Record Information: Ownership and Patient Rights The physician owns the physician
More informationSEVEN SEVEN. Credentialing tips designed to help keep costs down and ensure a healthier bottom line.
Seven Tips to Succeed in the Evolving Credentialing Landscape SEVEN SEVEN Credentialing tips designed to help keep costs down and ensure a healthier bottom line. 7The reimbursement shift from fee-for-service
More information2012 National Patient Safety Goals and National Priorities Partnership Goals addressed in this case study
(ROI) University of California Davis Health System 2315 Stockton Blvd., Sacramento, CA 95817 Noel Sousa Finance Director noel.sousa@ucdmc.ucdavis.edu Michael Smith Financial Analyst michael.smith@ucdmc.ucdavis.edu
More informationToward the Electronic Patient Record:
June 2007 Toward the Electronic Denise Henderson Director, Consulting Services MedSynergies, Inc. Toward the Electronic The TEPR (Toward the Electronic Patient Record) conference held by the Medical Records
More informationRelease of Medical Records in Ohio OHIMA. Ohio Revised Code (ORC) HIPAA
Release of Medical Records in Ohio OHIMA March, 2010 Ann Hubbuch, JD, RHIA Vice President Corporate Compliance Licking Memorial Health Systems Ohio Revised Code (ORC) One part of the puzzle What controls.hipaa
More informationTHE FUTURE OF HEALTHCARE TECHNOLOGY CareTech Solutions
THE FUTURE OF HEALTHCARE TECHNOLOGY 1 THE FUTURE OF HEALTHCARE TECHNOLOGY NTT SmartShirt Records vitals to enhance athletic performance Real time monitoring of vital EKG, EMG, Respiratory Rate, Muscle
More informationHIPAA Breach Policy & Procedures Handbook
HIPAA Breach Policy & Procedures Handbook TABLE OF CONTENTS PART 1: POLICY... 5 I. Introduction... 6 Purpose... 6 Rationale... 6 Policy Statement... 6 Scope... 7 Definitions... 7 EXCEPTIONS... 7 II. Responsibility...
More informationCatholic Charities Disabilities Services. In-Home Behavioral Support Services (2017)
Catholic Charities Disabilities Services In-Home Behavioral Support Services (2017) A Program funded through a Family Support Services Grant from OPWDD Submit Application and supporting documentation to:
More informationThe HIPAA Privacy Rule and Research: An Overview
The HIPAA Privacy Rule and Research: An Overview Joy Pritts, JD Research Associate Professor Health Policy Institute Georgetown University jlp@georgetown.edu 1 Topics HIPAA Background Overview of Privacy
More informationData Sharing Consent/Privacy Practice Summary
Data Sharing Consent/Privacy Practice Summary Profile Element Description Responsible Entity Legal Authority Entities Involved in Data Exchange HIPAAT International Inc. US HIPAA HITECH 42CFR Part II Canada
More informationEast Carolina University 2010 Annual HIPAA Privacy Training
East Carolina University 2010 Annual HIPAA Privacy Training What are the HIPAA Privacy and Security Rules? Federal laws that govern the use and disclosure of health information of our patients and research
More informationComparison of Health IT Provisions in H.R. 6 (21 st Century Cures Act) and S (Improving Health Information Technology Act)
Comparison of Health IT Provisions in H.R. 6 (21 st Century Cures Act) and S. 2511 (Improving Health Information Technology Act) Policy Proposal Health Software Regulation Senate Innovations Initiative
More informationREPORT OF THE BOARD OF TRUSTEES. Protection of Clinician-Patient Privilege (Resolution 237-A-17)
REPORT OF THE BOARD OF TRUSTEES B of T Report 16-A-18 Subject: Presented by: Referred to: Protection of Clinician-Patient Privilege (Resolution 237-A-17) Gerald E. Harmon, MD, Chair Reference Committee
More informationNATIONAL ASSOCIATION FOR STATE CONTROLLED SUBSTANCES AUTHORITIES (NASCSA) MODEL PRESCRIPTION MONITORING PROGRAM (PMP) ACT (2016) COMMENT
1 NATIONAL ASSOCIATION FOR STATE CONTROLLED SUBSTANCES AUTHORITIES (NASCSA) MODEL PRESCRIPTION MONITORING PROGRAM (PMP) ACT (2016) SECTION 1. SHORT TITLE. This Act shall be known and may be cited as the
More informationNOTICE OF PRIVACY PRACTICES
NOTICE OF PRIVACY PRACTICES Effective Date: May 31, 2013 THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW
More informationRECENT DEVELOPMENTS 3/17/2015
Trends, Challenges, and Best Practices for an Effective Home Health Compliance Program Asha Scielzo, Special Counsel Pillsbury Winthrop Shaw Pittman Tina Rao, Chief Counsel of Healthcare Maxim Healthcare
More informationSUMMARY OF NOTICE OF PRIVACY PRACTICES
LAKE REGIONAL MEDICAL GROUP 54 HOSPITAL DRIVE OSAGE BEACH, MO 65065 SUMMARY OF NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU
More informationProtecting Ideas: Perspectives for Individuals and Companies
Toy Industry Association White Paper Protecting Ideas: Perspectives for Individuals and Companies Prepared for the Toy Industry Association by: Carter, DeLuca, Farrell & Schmidt, LLP 445 Broad Hollow Road,
More informationNOTICE OF HOSPICE EL PASO S PRIVACY PRACTICES
NOTICE OF HOSPICE EL PASO S PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
More informationPRIVACY POLICY USES AND DISCLOSURES FOR TREATMENT, PAYMENT, AND HEALTH CARE OPERATIONS
PRIVACY POLICY As of April 14, 2003, the Federal regulation on patient information privacy, known as the Health Insurance Portability and Accountability Act (HIPAA), requires that we provide (in writing)
More informationHIPAA P12 CMS Data Use Agreements & Data Management Plans
HIPAA P12 CMS Data Use Agreements & Data Management Plans FULL POLICY CONTENTS Scope Reason for Policy Definitions Policy Statement ADDITIONAL DETAILS Additional Contacts Related Information History Effective:
More informationNotice of Privacy Practices
Notice of Privacy Practices, pg. 1 of 5 Notice of Privacy Practices CATHOLIC CHARITIES OF THE ROMAN CATHOLIC DIOCESE OF SYRACUSE, NY This notice describes the privacy practices of Catholic Charities of
More informationR. Gregory Cochran, MD, JD
California Academy of Attorneys for Health Care Professionals October 19-21, 2012 Government Subpoenas (and other Requests) and Health Privacy Considerations R. Gregory Cochran, MD, JD Overview Overview
More informationResponding to Healthcare Industry Regulations Date: May 9, 2013
Adhering to Healthcare Industry Regulatory Requirements New laws and regulations governing the Healthcare industry have been recently upgraded and will require management to comply by September 23. 2013,
More informationHIPAA Policies and Procedures Manual
UNIVERSITY of NORTH CAROLINA at CHAPEL HILL SCHOOL of NURSING HIPAA Policies and Procedures Manual November 2015 1 Table of Contents I. INTRODUCTION... 3 A. GENERAL POLICY... 3 B. SCOPE... 3 II. DEFINITIONS...
More informationPATIENT BILL OF RIGHTS & NOTICE OF PRIVACY PRACTICES
Helping People Perform Their Best PRIVACY, RIGHTS AND RESPONSIBILITIES NOTICE PATIENT BILL OF RIGHTS & NOTICE OF PRIVACY PRACTICES Request Additional Information or to Report a Problem If you have questions
More informationalways legally required to follow the privacy practices described in this Notice.
The ANXIETY & STRESS MANAGEMENT INSTITUTE 1640 Powers Ferry Rd, Building 9, Suite 10 0, Marietta, Georgia 30067, 770-953-0080 Health Insurance Portability and Accountability Act (HIPAA) NOTICE OF PRIVACY
More informationHIPAA Privacy Rights and Operations Guide HIPAA Security Summary For the Practice of: Vail Aspen Breckenridge Dermatology
HIPAA Privacy Rights and Operations Guide HIPAA Security Summary For the Practice of: Vail Aspen Breckenridge Dermatology Publish Date: 1/2/2018 This guide has been created to serve Vail Aspen Breckenridge
More informationSlide 1 WHO IS THE CLIENT? WHO CONTROLS THE RECORD? ETHICS AND HIPAA. Slide 2. Slide 3. The Four As of Ethical Practice
Slide 1 WHO CONTROLS THE RECORD? ETHICS AND HIPAA 22 nd Oklahoma Child Abuse & Neglect Conference Norman, Oklahoma, on September 4, 2014 Dr. Arlene B. Schaefer, Ph.D. Forensic and Clinical Psychology Oklahoma
More informationNOTICE OF PRIVACY PRACTICES Mid-Atlantic Women s Care, PLC Effective Date: September 23, 2013 Last Revised: February 15, 2018
NOTICE OF PRIVACY PRACTICES Mid-Atlantic Women s Care, PLC Effective Date: September 23, 2013 Last Revised: February 15, 2018 THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED
More informationResponding to Today s Health Care Regulatory Environment
Responding to Today s Health Care Regulatory Environment St. Joseph s Health Michael R. Holper SVP, Compliance and Audit Services October 26, 2016 2014 Trinity Health. All Rights Reserved. 1 We operate
More informationEMPOWERING THE NEW HEATHCARE ERA
EMPOWERING THE NEW HEATHCARE ERA THE NJ/DV HIMSS REGIONAL MEETING NOVEMBER 12 14, 2014 BALLY S HOTEL & CASINO ATLANTIC CITY, NJ. Ensuring Privacy and Security of Health information Exchange in Pennsylvania
More informationF O R G R E AT E R H E A LT H
FOR GREATER HEALTH Whether you re sending medical records or retrieving them, it can be a complicated process. Layer on top of that the need to protect your revenue and leverage data in an impactful way.
More informationHow will the system be used? Small practice Large Multispecialty group How well do the workflows and content
Electronic Medical Records All EMRs are the same Milisa Rizer, MD Chief Medical Information Officer Associate Professor Clinical Department of Family Medicine The Ohio State University Wexner Medical Center
More informationNOTICE OF PRIVACY PRACTICES
VII-07B Notice of Privacy Practices (p) The MetroHealth System 2500 MetroHealth Drive Cleveland, OH 44109-1998 NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW WE MAY USE AND DISCLOSE YOUR PROTECTED
More informationForward-thinking healthcare solutions It s what we do. Healthcare Law
Forward-thinking healthcare solutions It s what we do Healthcare Law A well-regarded firm with a sophisticated healthcare practice offering expert advice to a broad base of clients including hospitals,
More information