|
1
|
- JOSEPH CONDORELLI
- CATHERINE ZIELINSKI, MHA
- SETH ROSENBERG, MSW MBA
- Todd Mitchell, Attorney, Bullivant Houser Bailey
|
|
2
|
- Overcome “job lock” – the reluctance of moving from one company to
another for fear of losing health insurance
- Increase portability and access to health insurance
- Simplify health care administration
|
|
3
|
- Uniformity in electronic transmissions and code sets;
- Unique identifiers;
- Patient privacy; and
- Records security (both stored and transmitted).
- These are the “four legs of HIPAA”
|
|
4
|
- Regulatory definition:
- All health information created and/or received by provider, health plan,
health care clearinghouse, employer, life insurer or school or
university that relates to the physical or mental health or condition of
an individual, the provision of health care to that person, or to the
payment for that person’s health care, which is sufficiently specific to
identify the person, that is transmitted or maintained by a covered
entity in any form (orally, on paper or electronically).
|
|
5
|
- THE USE OR DISCLOSURE OF PHI IS PROHIBITED EXCEPT WHERE SPECIFICALLY PERMITTED
OR REQUIRED BY HIPAA
- HIPAA SETS STANDARDS OF RECORD KEEPING AND CONFIDENIALITY IRRESPECTIVE
OF ELECTRONIC TRANSMISSION
- USE OF PHI IN MANY ACTIVITIES IS LIMITED, INCLUDING IN MARKETING OR IN
CONSULTATION WITH FAMILY MEMBERS
- NUMEROUS EXCEPTIONS: CHILD ABUSE, DOMESTIC VIOLENCE, RESEARCH, LICENSURE
AND DISCIPLINARY ACTIONS.
- REMEBER: HIPAA PRE-EMPTS STATE LAW UNLESS STATE LAW IS MORE RESTRICTIVE,
E.G. HIPAA WOULD ALLOW DISCLOSURE OF A PATIENT’S RELIGIOUS AFFILIATION,
BUT THAT IS PROHIBITED IN TENNESSEE.
|
|
6
|
- Covered Entities will be non-compliant unless they execute written
agreements with their vendors which cover specific provisions concerning
HIPAA compliance.
- -A general HIPAA compliance clause is not sufficient for contracts with
Business Associates of Covered Entities.
- -Vendor contracts must specifically address the limited use and
disclosure of PHI as well as other listed vendor obligations.
- - Indemnification provisions for failure to comply should be
considered.
|
|
7
|
- General Penalty for Failure to Comply:
- Each violation: $100.
- Violation of one standard can result in a maximum penalty of up to
$25,000 in a given year.
- Wrongful Disclosure of Individual Health Information:
- Basic offense: $50,000, imprisonment of not more than one year or both.
- False Pretenses: $100,000, imprisonment of not more than 5 years, or
both.
- Intent to Sell: $250,000, imprisonment of not more than 10 years, or
both.
|
|
8
|
- “The security regulations would apply to each health care provider
electronically maintaining or transmitting health information pertaining
to individuals” (p43245 Federal Register).
|
|
9
|
- As of April 14, 2003 HIPAA requires that:
- “EACH COVERED ENTITY WHO MAINTAINS OR TRAMSMITS PRIVATE HEATH
INFORMATION (PHI) SHALL MAINTAIN REASONABLE AND APOPROPRIATE
ADMINISRATIVE , TECHINCAL, AND PHYSICIAL SAFEGUARDS.” 42 USC 1320d—2(d)(2)
- As of April 16, 2003 you need to start testing your software and
computer systems to ensure that they are capable of HIPAA compliance.
- As of October 16, 2003 you must be ready to conduct transactions
electronically in the standard HIPAA format.
- As of April 21, 2005 all covered entities must comply with the security
rules.
|
|
10
|
- Written compliance program/policies
- Employee training
- Revise vendor contracts
- Audit security procedures and upgrade as necessary
|
|
11
|
|
|
12
|
- Evaluate your network
- What’s on your server?
- Inventory your software: patient database
- Inventory hardware
- Inventory workstation specifications
- List specific PHI accessed by each workstation
- Test backup system
- Prepared for disaster recovery?
- UPS functioning properly?
|
|
13
|
- Evaluate your users
- Who has access?
- Who need’s access to perform essential job functions?
- Passwords secure or shared?
- Examine how you transmit data
- Determine if your software is ready for HIPAA
- Talk to your business associates about their HIPAA plans
- Review current policies
- Update to meet HIPAA Requirements
- Train and Implement
|
|
14
|
- DATA BACKUP PLAN
- DISASTER RECOVERY PLAN
- RISK ANALYSIS
- SANCTIONS
- PERSONAL SECURITY
- PASSWORDS
- INVENTORY
- VIRUS PROTECTION
- TRAINING
- AUDIT TRAIL
- CHAIN OF TRUST AGREEMENT
- ACCEPTABLE USE
- MAINTENANCE RECORDS
- FACILITY SECURITY
- ENCRYPTION
- ROLE-BASED ACCESS
- USER-BASED ACCESS
- EVENT REPORTING
- INTEGRITY CONTROLS
- MESSAGE AUTHENTICATION
- ACCESS AUTHORIZATION
- ACCESS CONTROLS
- NONREPUDIATION
- TRANSPORTABILITY
- CONFIDENTIALITY
- EMERGENCY MODE OPERATION
|
|
15
|
- AUTHENICATION & ENCRYPTION ERRORS
- IP ADDRESS BROADCASTING
- VIRTUAL PRIVATE NETWORKING CONFIGERATION ERRORS
- INTERNET ACCESS USAGE
- PROPER UPGRADES OF OPERATIONAL SOFTWARE
|
|
16
|
- WE ARE YOUR COMPREHENSIVE HIPAA SERVICE PROVIDER
- WE ASSESS AND ADDRESS YOUR COMPUTER SYSTEM SECURITY NEEDS
- WE PROVIDE THE POLICY AND PROCEDURE TO ENSURE PRIVACY AND SECURITY
|
|
17
|
|
|
18
|
- The information contained in this HIPAA Presentation and on this web
site are not intended to provide legal advice or serve as substitute for
consulting with retained legal counsel.
HIPAA is a complex and varied law and questions pertaining to its
application to your specific clinic or practice should be directed to
legal counsel.
|
Notes
