HIPAA Compliance and Health IT

Similar documents
HIPAA Training

AGENDA. 10:45 a.m. CT Attendees Sign On 11:00 a.m. CT Webinar 11:50 a.m. CT Questions and Answers

Breach Reporting and Safeguarding PHI Outpatient Services August, UAMS HIPAA Office Anita Westbrook

Reporting a Privacy Breach to the Commissioner

HIPAA HAZARDS & SOCIAL MEDIA SNAFUS NARHC MARCH 20, 2018 MARGARET SCAVOTTO, JD, CHC MPA ST. LOUIS, MO

Privacy and Security Compliance: The. Date Presenter Name of Member Organization

HIPAA. Health Insurance Portability and Accountability Act. Presented by the UMMC Office of Integrity and Compliance

CAPITAL SURGEONS GROUP, PLLC

PRIVACY BREACH MANAGEMENT GUIDELINES. Ministry of Justice Access and Privacy Branch

Protecting Health Information: Health Data Security Training

HIPAA and HITECH: Privacy and Security of Protected Health Information

CLINICIAN S GUIDE TO HIPAA PRIVACY

Information Privacy and Security

The Privacy & Security of Protected Health Information

Privacy and Security For Teammates

The future of patient care. 6 ways workflow automation will transform the healthcare experience

National Health Information Privacy and Security Week. Understanding the HIPAA Privacy and Security Rule

Protecting Ideas: Perspectives for Individuals and Companies

Healthcare Privacy Officer on Evaluating Breach Incidents A look at tools and processes for monitoring compliance and preserving your reputation

HIPAA THE PRIVACY RULE

Health Information Privacy Policies and Procedures

WHAT IS HIPAA? HIPAA is the ELECTRONIC transmission of Three programs have been enacted to date Privacy Rule April 2004

MCCP Online Orientation

HIPAA 201: Student Self-Learning Module & Test

Updated FY15 Dignity Health General Compliance Education for Staff Module 2

HIPAA PRIVACY TRAINING

Notice of Privacy Practices

Security Risk Analysis and 365 Days of Meaningful Use. Rodney Gauna & Val Tuerk, Object Health

Privacy & Security: What You Need to Know

It defines basic terms and lists basic principles that all LSUHSC-NO faculty, staff, residents and students must understand and follow.

Office of the Chief Privacy Officer. Privacy & Security in an App Enabled World HIMSS, Tuesday March 1, 2016, Las Vegas, NV

Peek-A-Boo: EHR Access and Compliance

What is HIPAA? Purpose. Health Insurance Portability and Accountability Act of 1996

An Introduction to the HIPAA Privacy Rule. Prepared for

System-wide Policy: Use and Disclosure of Protected Health Information for Research

Information Sharing and HIPAA Compliance

INLAND EMPIRE HEALTH PLAN CODE OF BUSINESS CONDUCT AND ETHICS. Our shared commitment to honesty, integrity, transparency and accountability

- Cardiac Catherization - Cardiac Angioplasty - Cardiac Bypass - MUGA - CT Scan

always legally required to follow the privacy practices described in this Notice.

Health Insurance Portability and Accountability Act. Awareness Training for Volunteers

PRIVACY BREACH GUIDELINES

2018 HCCA Compliance Institute HIPAA Update: Policy & Enforcement. Policy Update: Marissa Gordon-Nguyen HHS OCR Senior Advisor

Notice of. Privacy Practices. Dartmouth-Hitchcock Affiliated Covered Entity

CIO Legislative Brief

Notice of Privacy Practices for Protected Health Information (PHI)

Protecting PHI for Clinical Staff and Students

Health Information Exchange 101. Your Introduction to HIE and It s Relevance to Senior Living

LifeBridge Health HIPAA Policy 4. Uses of Protected Health Information for Research

Title: HIPAA PRIVACY ADMINISTRATIVE

EMPOWERING THE NEW HEATHCARE ERA

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT

NOTICE OF PRIVACY PRACTICES

A Better You Counseling Services, LLC 1225 Johnson Ferry Road, Ste 170 Marietta GA

Student Orientation: HIPAA Health Insurance Portability & Accountability Act

Notice of Privacy Practices for Protected Health Information (PHI)

Parental Consent For Minors to Receive Services

Signature (Patient or Legal Guardian): Date:

HIPAA Privacy Training for Non-Clinical Workforce

HIPAA Privacy Regulations Governing Research

Health Care Reform (Affordable Care Act) Leadership Summit April 26, 2010 Cindy Graunke

HCCA Institute Privacy Officer Round Table Discussion

DO ASK BUT DON T TELL HIPAA PRIVACY RULE

Preparing for the upcoming 2016 HIPAA audits: Lessons and examples from past breaches and fines

Security Risk Analysis

OREGON HIPAA NOTICE FORM

Senior Care Pharmacy Wichita

Humana At Home-Star Member Talking Points

2018 Employee HIPAA Orientation (EHO) Handbook

Advanced HIPAA Communications and University Relations

Privacy Policy - Australian Privacy Principles (APPs)

Compliance Program Updated August 2017

NOTICE OF PRIVACY PRACTICES MedQuest Effective April 2003 Revised January 2014

HIPAA PRIVACY NOTICE

WELCOME. Payment will be expected at the time of service. Please remember our 24 hour cancellation notice.

1303A West Campus Drive

HIPAA Education Program

Session Number G24 Responding to a Data Breach and Its Impact. Karen Johnson Chief Deputy Director California Department of Health Care Services

HIPAA PRIVACY RULE: LIMITING USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION TO THE MINIMUM NECESSARY

NOTICE OF PRIVACY PRACTICES

FDRs = "First tier", "Downstream" and "Related" entities 3/8/2017. Session 410: Medicare FDRs and Compliance Programs. Presentation Overview

Comparison of Health IT Provisions in H.R. 6 (21 st Century Cures Act) and S (Improving Health Information Technology Act)

Compliance Program, Code of Conduct, and HIPAA

New York Notice Form Notice of Psychologists Policies and Practices to Protect the Privacy of Your Health Information

JOINT NOTICE OF PRIVACY PRACTICES

Telemedicine Privacy and Security: Safeguarding Protected Health Information and Minimizing Risks of Disclosure

NYU Langone Health Notice of Privacy Practices

What to do When Faced With a Privacy Breach: Guidelines for the Health Sector. ANN CAVOUKIAN, Ph.D. COMMISSIONER

HIPAA and Joint Commission Requirements Compared and Contrasted

Accommodate reasonable requests you may have to communicate health information by alternative means or at alternative locations.

Health Care. Important Changes for Physicians from the 2016 Medicare Physician Fee Schedule: Part I (Stark Changes) February 2016.

USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION: HIPAA PRIVACY POLICY

CCSS: HIPAA-Compliant Recruitment. Dennis Deapen, DrPH CCSS Annual Investigators Meeting Memphis, TN October 9-11, 2005

Chapter 19 Section 3. Privacy And Security Of Protected Health Information (PHI)

New HIPAA Privacy Regulations Governing Research. Karen Blackwell, MS Director, HIPAA Compliance

NOTICE OF PRIVACY PRACTICES Revised

HIPAA Privacy Test Overview

OSHA & HIPAA Seminar. Northern Texas Facial & Oral Surgery

HIPAA Are You As Compliant as You Think?

Social Media IUSM-GME-PO-0031

February 18, Re: Draft Trusted Exchange Framework and Common Agreement

Transcription:

HIPAA Compliance and Health IT Joel Benware Anne Cramer, Esq. Jim Sheldon-Dean 1

Joel Benware Compliance Officer at Northwestern Medical Center (NMC) in St. Albans, Vt. o o Reports directly to the NMC Board of Directors for Compliance matters. Certified in Healthcare Compliance (CHC) by the Health Care Compliance Association (HCCA) Works with a Compliance team to develop an Annual Compliance Work Plan. o Plan is developed from the OIG Annual Plan and our own internal audits and education efforts from the previous year. Privacy and Security Officers report to Vice President of Information Systems and Compliance o o Review all matters of HIPAA, privacy and security Conduct HIPAA Security Risk Assessments Establish a culture of Compliance from the Board level through management to all employees, volunteers and Business Associates. 2

Anne Cramer Lawyer, representing broad spectrum of Vermont health care providers Anne and her firm, Primmer, advise VITL Began giving privacy law training to hospitals in the late 80s Worked on Vermont legislation to rework and consolidate patient privacy protection law in the 90s the multi-year effort failed Assists hospitals, physicians, mental health agencies, nursing homes, home health agencies and others with HIPAA privacy and security policies, trainings, compliance and breach analysis and reporting Advises on reconciling 42 CRF Part 2 compliance with need for treating providers to collaborate and communicate about patients 3

Jim Sheldon-Dean Focused on HIPAA compliance since before the rules were enforceable Providing HIPAA compliance services to a variety of entities in Vermont and nationwide An Engineer s approach to compliance: Break it down, understand the pieces and how they interact, and put it all together again Background is technology, policy, implementation Strong belief in education and self-audits We re all still learning about HIPAA and what it means today New technologies are testing the limits of HIPAA 4

Keeping Track of Paper Despite EHR s a lot of patient information is still provided on paper. Giving the wrong printout to the wrong patient is a HIPAA violation. Papers must always be double-checked before handing to the patient or putting in an envelope. Even a small breach may be a reportable breach. 1. What are some best-practices and proper protocols for using shared printers at registration and checkout stations? 2. What should I do if I gave Ms. Jones information to Mr. Smith? 5

Use of Messaging (Texting) Systems Smartphones and Handheld devices have capabilities that on the surface appear to be beneficial in treating patients: o Camera o Texting o Voice recording Security of PHI involved with Mobile Devices and Apps is a major, current issue, getting worse every day 1. When is it allowable to send text messages to another provider about a patient? 2. What about pictures? 3. How can I ensure the information stays safe? 6

Clearly Defined Designated Record Set Information that is not obtained by direct observation of the patient should not be included in their record. For instance, information relayed to a mental health provider by patient s family, regarding observation of dangerous behavior with one of their children. Since this data was not obtained directly by observation of the patient, it should not have been scanned in to the record. Information relied upon to make decisions about the patient s care should be part of the HIPAA Designated Record Set. 1. How does HIPAA define the Designated Record Set? 2. What are some guidelines for scanning data into a patient s medical record? 3. If not the medical record, then where can I store this information? 7

Use of Business Associates Minimum Necessary Disclosure Tailoring a BAA For example, after lost laptop of contractor was recovered, it was found to have much more PHI than necessary for their work with the Covered Entity. Third party evaluations and attestations of good practices 1. What is meant by Minimum Necessary Disclosure? 2. What are some tips and best practices in working with Business Associates? 8

Creating the Proper Culture Employees have to feel safe in speaking up if they made a mistake themselves, or if they believe someone else in their office has made a mistake. The entire staff should feel like an extension of the Privacy and Security Officer. Organizational culture and personal responsibility are key to success in compliance. 1. What are some tips on creating the right kind of culture? 2. What is at risk if I don t speak up? 9

Data Ownership A patient returned from treatment at a community hospital. Within a week, the patient received a marketing call offering a cream to help with their recent pain issues. Marketing requires an authorization from the patient, while Healthcare Operations (such as providing continuing care) does not require authorization. 1. Is this Marketing, or Healthcare Operations, or a breach? 2. Who s responsible for this data breach? 3. How can we track data through all the possible intermediaries? 4. What if it was the Pharmacy that inadvertently disclosed the patient s medical condition? 10

Patient Generated Data It seems like everyone wears a health tracking device these days Vital sign monitoring equipment in the home also has the capability of recording information Devices can upload data represented as the patient s data 1. What is patient generated data? 2. When can I accept patient generated data into a patient s record? 3. What if the device is lost or stolen? 11

Crossroad of Privacy and Transparency Employees at health care organizations cannot and must not access their own data, or that of family members. Employees should be encouraged to use the organization s patient portal for this type of information. Compliance must be verified through internal audits. De-identification of PHI is difficult. 1. How can I give an effective demonstration of an IT system without disclosing real patient information? 2. When is it OK to use real-patient data if I blur-out some of the information? 12

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback