HCCA Institute Privacy Officer Round Table Discussion

Similar documents
HITECH Act. Overview and Estimated Timeline

Healthcare Privacy Officer on Evaluating Breach Incidents A look at tools and processes for monitoring compliance and preserving your reputation

FCSRMC 2017 HIPAA PRESENTATION

2018 HCCA Compliance Institute HIPAA Update: Policy & Enforcement. Policy Update: Marissa Gordon-Nguyen HHS OCR Senior Advisor

Advanced HIPAA Communications and University Relations

A self-assessment for GxP and HIPAA concerns

A general review of HIPAA standards and privacy practices 2016

Meaningful Use Achieving Core Objective #14 Montana HIMMS 2012 Spring Convention

Updated FY15 Dignity Health General Compliance Education for Staff Module 2

Research Compliance Oversight in the Department of Veterans Affairs

Does HIPAA Satisfy Meaningful Use? Two regulations with one stone

HIPAA Education Program

The Privacy & Security of Protected Health Information

Protecting Health Information: Health Data Security Training

What is HIPAA? Purpose. Health Insurance Portability and Accountability Act of 1996

HIPAA Are You As Compliant as You Think?

HIPAA and HITECH: Privacy and Security of Protected Health Information

R. Gregory Cochran, MD, JD

MCCP Online Orientation

Establishing and Implementing a Process to Investigate and Resolve Privacy Breaches and Complaints

Health Information Privacy Policies and Procedures

HIPAA Training

THE ECONOMICS OF MEDICAL PRACTICE UNDER HIPAA/HITECH

Patient Privacy Requirements Beyond HIPAA

2018 Employee HIPAA Orientation (EHO) Handbook

Preparing for the upcoming 2016 HIPAA audits: Lessons and examples from past breaches and fines

Office of the Chief Privacy Officer. Privacy & Security in an App Enabled World HIMSS, Tuesday March 1, 2016, Las Vegas, NV

David Behinfar, JD, LLM, CHC, CIPP University of Florida College of Medicine Jacksonville UF Privacy Manager (904)

Health Information Exchange 101. Your Introduction to HIE and It s Relevance to Senior Living

Last Chance to Review Your Security Risk Analysis

Chapter 9 Legal Aspects of Health Information Management

Consumer View of Personal Information Risks

Notice of Privacy Practices

AGENDA. 10:45 a.m. CT Attendees Sign On 11:00 a.m. CT Webinar 11:50 a.m. CT Questions and Answers

DUTIES OF A CUSTODIAN

DO ASK BUT DON T TELL HIPAA PRIVACY RULE

MITIGATING BREACH RISK IN AN ERA OF EXPANDING PHI DISCLOSURE POINTS AND REQUESTS FOR HEALTH INFORMATION

Privacy and Security Orientation for Visiting Observers. DUHS Compliance Office

Peek-A-Boo: EHR Access and Compliance

AUDIT DEPARTMENT UNIVERSITY MEDICAL CENTER HIPAA COMPLIANCE. For the period October 2008 through May JEREMIAH P. CARROLL II, CPA Audit Director

Status Check On Health IT

It defines basic terms and lists basic principles that all LSUHSC-NO faculty, staff, residents and students must understand and follow.

HIPAA. Health Insurance Portability and Accountability Act. Presented by the UMMC Office of Integrity and Compliance

Understanding the Privacy and Security Regulations

FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA

SUMMARY OF NOTICE OF PRIVACY PRACTICES

POTENTIAL LIABILITY: PATIENT HEALTH INFORMATION PORTALS

COMPLIANCE ROUND-UP. December 13, Aegis Compliance & Ethics Center, LLP 1

Telemedicine. Important Information. Telemedicine 5/6/2016. Lauren Prew

HIPAA Privacy Training for Non-Clinical Workforce

Chapter 19 Section 3. Privacy And Security Of Protected Health Information (PHI)

New Employee Orientation HIPAA Privacy. Marcia Matthias, MJ, RHIA, CHPC Corporate Director, Health Information/Privacy Officer

CHI Mercy Health. Definitions

Headline News: Anatomy of a VIP Records Breach

INLAND EMPIRE HEALTH PLAN CODE OF BUSINESS CONDUCT AND ETHICS. Our shared commitment to honesty, integrity, transparency and accountability

HIPAA & PRIVACY TRAINING FOR HEALTH PROFESSIONALS: Part 1 Denise M. Hill, JD, MPA

WISHIN Statement on Privacy, Security, and HIPAA Compliance - for WISHIN Pulse

The American Recovery and Reinvestment Act HITECH Act

Delegation Oversight 2016 Audit Tool Credentialing and Recredentialing

What is your start date? (Date in which you plan to begin seeing patients in the hospital). Specialty SECTION I. IDENTIFICATION DATA

Security Risk Analysis

Part I of the HITECH Webinar Series

Privacy & Security: What You Need to Know

Section: Medical Staff Office Page: 1 of 2

REQUEST TO ACCESS EXISTING MEDICAL RECORDS, CHARTS OR DATABASES FOR RESEARCH

Alignment. Alignment Healthcare

PRIVACY BREACH GUIDELINES

Privacy and Consent Primer

HIPAA THE PRIVACY RULE

The Intersection of Health Care Fraud and Patient Safety

PRIVACY BREACH MANAGEMENT GUIDELINES. Ministry of Justice Access and Privacy Branch

CLINICIAN S GUIDE TO HIPAA PRIVACY

Notice of. Privacy Practices. Dartmouth-Hitchcock Affiliated Covered Entity

HIPAA/HITECH Act Enforcement:

Your Role in Protecting Patient Privacy 2018

PRIVACY BREACH MANAGEMENT POLICY

Breach Risk in Release of Information. Don t Leave Risk to Chance Key trends impacting healthcare providers

STAFFING AGENCY ADMINISTRATIVE POLICIES AND PROCEDURES

The HIPAA privacy rule and long-term care : a quick guide for researchers

Getting Ready for Ontario s Privacy Legislation GUIDE. Privacy Requirements and Policies for Health Practitioners

Compliance with Personal Health Information Protection Act

Compliance Program Updated August 2017

HIPAA and Mandatory Reporting Hiding in Plain Sight

HIPAA Policies and Procedures Manual

Comparison of the Health Provisions in HR 1 American Recovery and Reinvestment Act

HH Health System-Shoals, LLC dba Helen Keller Hospital Notice of Privacy Practices

HIPAA Privacy and Security Training for Researchers

[Enter Organization Logo] CONSENT TO DISCLOSE HEALTH INFORMATION UNDER MINNESOTA LAW. Policy Number: [Enter] Effective Date: [Enter]

Title: HIPAA PRIVACY ADMINISTRATIVE

Navpreet Kaur IT /16/16. Electronic Health Records

The Journey to Meaningful Use: Where we were, where we are, and where we may be going

Blood Alcohol Testing, HIPAA Privacy and More

A Lawyer s Take on Meaningful Use. By Steven J. Fox & Vadim Schick

Frequently Asked Questions. Inofile FAQs

Gina Ginn Greenwood, CIPP/US

MEANINGFUL USE & RISK ASSESSMENT

WRAPPING YOUR HEAD AROUND HIPAA PRIVACY REQUIREMENTS

Health Insurance Portability and Accountability Act. Awareness Training for Volunteers

National Health Information Privacy and Security Week. Understanding the HIPAA Privacy and Security Rule

OSHA & HIPAA Seminar. Northern Texas Facial & Oral Surgery

Transcription:

HCCA Institute Privacy Officer Round Table Discussion Marti Arvin Deann Baker Why We re Here X A facilitated discussion of current issues that Privacy Professionals are dealing with in their day-to-day work Opportunity to learn from colleagues who are dealing with similar issues Networking opportunity and cathartic chance to realize you are not alone 1

Discussion topics HITECH and the evolution of EHRs OCR Privacy and Security Audits Social Media Culture Topics identified by the group Agenda Part I 8:00 am to 9:45 am Introduction Identification of topics the group wants to discuss HITECH and the evolution of EHRs Part II 10:00 am to 11:45 am Identification of any new topics from new participants OCR Privacy and Security Audits Social Media Organizational Culture 2

Definitions Notice of Proposed Rule Making (NPRM) Health Information Technology for Economic and Clinical Health Act (HITECH) Electronic Health Record (EHR) or Electronic Medical Record (EMR) Covered Entity (CE) Business Associate (BA) HITECH Act & Evolution of EHR Discussion 3

HITECH/EHR Checklist Items to be discussed: Enforcement Data Breach reporting Restrictions Accounting/Access Auditing/Access Marketing/Fundraising Enforcement activities Considerations: Dates Interim Rules State Laws Enforcement When your breach occurred may be important? Did it occur before the increase to the CMPs in February 2009? OCR will apply the old CMPs to old breaches and the new CMPs to new breaches As we get further from the February 2009 date this will matter less but you should be aware of it. 4

Breach Checklist State Law impacts Roles and Responsibilities Risk Assessment activities Reporting and disclosure processes Managing activities and response Policies & procedures Sanctions of work force Internal process Internal Checklist 1. Communication plan: senior management, board members, legal department, risk management, IT, and marketing or others 2. Initial action plan: determine who does what activities based on expertise manage internal and external inquiries (communication) 3. Investigation and risk assessment activities: what information was lost, disclosed, intercepted, or altered what occurred, how and why, and potential liability 5

6. External notification: Internal Checklist enforcement agencies and patients timelines to be considered based on what and when you know determine how to send the notifications based on what you learn 7. Response plan to inquiries after notification: litigation (determine who the contact will be) 8. Corrective action plans: remediate damages audit and monitor Breach Checklist Individual Notice Media Notice Notice to the Secretary Notice to BA Burden of Proof Resources: http://www.google.com/search?q=hitech+access+- accounting+of+disclosures&rls=com.microsoft%3a*%3aie- SearchBox&oe=UTF- 8&sourceid=ie7&rlz=1I7ADFA_enUS395&safe=active&oq=HITECH+Access+accounting+of+disclosures&aq=f&aqi=&aql=&gs_sm=3&gs_upl=39327l54842l0 l55108l42l41l3l28l0l1l343l2233l0.2.6.1l9l0 6

Breach Examples Stanford Health external vendor shared a file with a prospective applicant who then posted on a site asking if anyone could help him create graphs from the data UCLA Health System Stolen hard drive Sutter Health Unencrypted device with information 4.2 million patients was stolen Breach Examples February 2012 records from Dashy Medical Center in New York found scattered on the sidewalk. St. Joseph Health Orange county CA notified 32000 patients that their records may have been searchable on the internet. The hospital became aware of the breach when a patient s attorney contacted them. 7

Breach Examples Lakeview Medical Center WI Hundreds of patients notified that their records may have been exposed when a laptop was stolen from a car Interesting note the data was encrypted but the question is whether the encryption was NIST grade Interesting stats from OCR Wall of Shame breaches of over 500 individuals Which state/territory had the most breaches? California wins with 43 Which state/territory had the information of the most individuals compromised? Virginia wins with 4.9 million Which states/territories had the least? AS, ND, ID, UT, LA, IA, DE, WY, MT all reported 1 AS had the fewest in number of individuals impacted at 501 8

Interesting stats from OCR What are the top five reasons for the compromise of the data Number 1 is theft Over 50% of the incidents Number 2 is Unauthorized access/disclosure Number 3 is Loss Number 4 is Hacking/IT incident Number 5 is Improper Disposal Identity Theft According to ID Experts Medical identity theft is estimated to cost $234 billion annually based on FBI estimates The street value of a stolen medical identity is approximately $50 according to the World Privacy Forum Roughly 1.4 million Americans were victims of medical identity theft in 2010 according to a study done by Ponemon Institute The same report estimated the annual economic impact to be $30.9 billion 9

Restrictions Checklist Minimum Necessary for use, disclosure and requests Limit to data set or to accomplish intended purpose Policies and procedures Uses: roles of workforce; types of PHI needed; conditions for access Disclosure and requests: routine and reoccurring requests; non-routine and nonrecurring (to be reviewed on individual basis) Restrictions Checklist Fundraising and Marketing Business Associates (contracts) Treatment Payment Health care operations 10

Accounting Checklist Accounting of disclosures to Certain Information in Electronic Format TPO CEs with EHRs - date dependent BA requirement Uses EHR Audit Auditing and Monitoring reports same last name same name same name chart modification VIP of Person of Interest Break the glass functionality 11

EHR Audit Focus advantage and disadvantage Probe advantage and disadvantage What s your procedure say? Auditing Checklist OCR and the new HIPAA Privacy and Security Audit Program KPMG Pilot audits Notification letters Types of audits Deadlines The plan 12

OCR Privacy and Security Audits HITECH specifically provides that OCR will conduct period audits The OCR initially contracted with Booz Allen to identify the universe of covered entities that are candidates for potential audits Then contracted with KPMG to conduct 150 privacy and security audits in 2012 When will this be done? An initial audit of 20 entities to be done by the end of March 2012. The remaining 130 will be done between April and December of 2012 Business associates will not likely be audited in this process 13

Who will be selected There are four tiers of covered entities from which the initial 20 have been selected Large providers/payers >$1 billion in revenue or assets Regional health systems/insurers with between $300 million and $1 billion in revenue/assets Community hospitals, outpt surgery centers, regional pharmacies, self-insured plans with between $50 million and $300 million Small providers of between 10 to 50 providers, community or rural pharmacies with less than $50 million on revenue Who is being audited? They have define that they selected different types of providers from each level Level One 2 health plans, 2 providers, 1 clearinghouse Level Two 3 health plans, 2 providers, 1 clearinghouse Level Three 1 health plan, 2 providers, no clearinghouses Level Four 2 health plan, 4 providers, no clearinghouses 14

The first 20 There are eight health plans 1 medicaid health plan 1 SCHIP plan 3 group health plans 3 health insurance issuers There are 12 providers 3 physician groups 3 hospitals 1 lab 1 dental practice 2 Nursing home 1 pharmacy What are they looking for in the audit? Do you have implemented Privacy and Security policies and procedures Are you following the breach notification rule 15

The process is not fun You will receive a notification letter from OCR which will give you 10 business days from the date of the letter to provide a lot of documents The letter will also inform you that the site visit will be some time in the next 30 to 90 days from the date of the letter Site visits will last between 3 to 10 business days with a team of 3-5 auditors The site visits can occur on very short notice i.e. just a few days The process is not fun A draft audit report will be presented between 20-30 days from the end of the site visit You will have 10 business days to comment on the draft report The final report will be issued 30 days after the comment period ends 16

More good news The audits are intended to be preventative and not punitive If there is a serious finding it may result in an OCR compliance review What does all this mean? Be prepared Social Media Discussion 17

Social Media Check List Business purpose; communication style; industry Social media on company time Appropriate discussion of business activities Content- confidentiality, copyright Purpose personal, business use Job descriptions Auditing and investigation Consequences Training Social Media Your best defense is _ t o i t 2 nd best defense is to write clear and effective policies and procedures 18

Recent Examples St. Mary s Medical Center Long Beach, CA Nurses and other staff take photos of a stabbing victim and post them on Facebook Tri-City Medical Center Long Beach, CA No patient names or other identifiers used but there was a discussion on Facebook about patients Recent Examples Mercy Walworth Medical Center Lake Geneva, WI Photos taken of patient x-ray and posted to Facebook. Oakwood Hospital and Medical Center Dearborn, MI Employee posted information about a patient who she alleged was a cop killer. 19

Recent Examples Providence Holy Cross Medical Center Mission Hills, CA Contract employee posted a photo of the patient s medical record to poke fun at a patient. Photo included the patient s name and the date she was admitted Also included comments about the patient s medical condition Recent Examples When others pointed the privacy violation the poster s response was People, it s just Facebook. Not reality. Hello? Again...it s just a name out of millions and millions of names. If some people can t appreciate my humor then tough. And if you don t like it, too bad, because it s my wall and I ll post what I want to. 20

Organizational Culture Discussion Organizational Culture Knowledgeable workforce responsibilities (roles) relevance (why factor) regulations/standards golden rule controls environment (people and technology) procedures ongoing education and orientation 21

Organizational Culture Why factors HIPAA and HITECH Medicare Health Care Reform Act State Laws Accreditation Organizational Culture 42 C.F.R. 482.24 CMS conditions of participation - Patient rights, requires hospitals to assure that: Patient records are confidential; Unauthorized persons cannot gain access to or alter patient records; and Patient records are released only to authorized persons in accordance with law. Health Care Reform Information exchange (EHR) Meaningful use and data driven 22

Organizational Culture Be the influence and get the message out Create partnerships Communicate through committees Develop and make resources and tools accessible and available Be available to attend meetings and provide live education Contribute to internal communications Magazines/journals Resources and Tools DHHS - Office of Civil Rights http://www.hhs.gov/ocr/privacy/index.html HCCA net HIPAA Forum http://community.hccainfo.org/hcca/communities/discussiongroups/viewthread/?gr oupid=121&messagekey=7e65ddcc-fc96-4b21-ad5bde231573b279 CMS Conditions of Participation https://www.cms.gov/cfcsandcops/ HITECH Answers Free whitepapers http://www.hitechanswers.net/ehr-incentiveprogram/hipaa-and-security-compliance/ 23

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback