Welcome to the HIPAA PASS Webinar! - HealthInsighthealthinsight.org › files › HIPAA PASS ›...
Transcript of Welcome to the HIPAA PASS Webinar! - HealthInsighthealthinsight.org › files › HIPAA PASS ›...
![Page 1: Welcome to the HIPAA PASS Webinar! - HealthInsighthealthinsight.org › files › HIPAA PASS › Educational... · Welcome to the HIPAA PASS Webinar! • Please keep yourself muted](https://reader036.fdocuments.net/reader036/viewer/2022081406/5f100f2d7e708231d4473e52/html5/thumbnails/1.jpg)
Welcome to the HIPAA PASS Webinar!
• Please keep yourself muted to eliminate background noise.
• We will be using Chat for Questions and Answers.
• We will get started in just a minute!
Thank you for joining us!
![Page 2: Welcome to the HIPAA PASS Webinar! - HealthInsighthealthinsight.org › files › HIPAA PASS › Educational... · Welcome to the HIPAA PASS Webinar! • Please keep yourself muted](https://reader036.fdocuments.net/reader036/viewer/2022081406/5f100f2d7e708231d4473e52/html5/thumbnails/2.jpg)
Introduction to Building and Governing Your HIPAA Compliance ProgramMay 25, 2017
![Page 3: Welcome to the HIPAA PASS Webinar! - HealthInsighthealthinsight.org › files › HIPAA PASS › Educational... · Welcome to the HIPAA PASS Webinar! • Please keep yourself muted](https://reader036.fdocuments.net/reader036/viewer/2022081406/5f100f2d7e708231d4473e52/html5/thumbnails/3.jpg)
This Webinar is Brought to You By….
![Page 4: Welcome to the HIPAA PASS Webinar! - HealthInsighthealthinsight.org › files › HIPAA PASS › Educational... · Welcome to the HIPAA PASS Webinar! • Please keep yourself muted](https://reader036.fdocuments.net/reader036/viewer/2022081406/5f100f2d7e708231d4473e52/html5/thumbnails/4.jpg)
HealthInsight and Mountain-Pacific
HealthInsight and Mountain-Pacific Quality Health recognizes that HIPAA compliance can place an excessive burden on small and medium sized organizations so created HIPAA Privacy and Security Solutions (HIPAA PASS) to provide easy, affordable and comprehensive solutions for those who need us most.Please check out our HIPAA PASS websites for Risk Analysis and Risk Management services.
![Page 5: Welcome to the HIPAA PASS Webinar! - HealthInsighthealthinsight.org › files › HIPAA PASS › Educational... · Welcome to the HIPAA PASS Webinar! • Please keep yourself muted](https://reader036.fdocuments.net/reader036/viewer/2022081406/5f100f2d7e708231d4473e52/html5/thumbnails/5.jpg)
Mark Norby, CHP
• 15 Years of IT experience• Eight Years as the CIO of the Community
Health Center of Central Wyoming and University of Wyoming Family Medicine Residency Program
• Six Years as a HIPAA Compliance Officer• Four Years as a HIPAA Compliance Consultant• Provided help to more than 150 hospitals and
clinics
![Page 6: Welcome to the HIPAA PASS Webinar! - HealthInsighthealthinsight.org › files › HIPAA PASS › Educational... · Welcome to the HIPAA PASS Webinar! • Please keep yourself muted](https://reader036.fdocuments.net/reader036/viewer/2022081406/5f100f2d7e708231d4473e52/html5/thumbnails/6.jpg)
Susan Clarke, HCISPP
• (ISC)2 certified Healthcare Information Security and Privacy Practitioner
• 15+ years of health care experience• 10+ years design and development EHR software, BS
with computer science major• National Incident Management Systems Certificate• Served on IT Security, Disaster Recovery and Joint
Commission steering committee• Served as communications unit lead during health care
system’s ready and complete alerts
![Page 7: Welcome to the HIPAA PASS Webinar! - HealthInsighthealthinsight.org › files › HIPAA PASS › Educational... · Welcome to the HIPAA PASS Webinar! • Please keep yourself muted](https://reader036.fdocuments.net/reader036/viewer/2022081406/5f100f2d7e708231d4473e52/html5/thumbnails/7.jpg)
Programs that Address HIPAA
• Meaningful Use• MIPS/MACRA• Emergency Preparednesshttps://www.cms.gov/medicare/provider-enrollment-and-certification/surveycertemergprep/emergency-prep-rule.html
![Page 8: Welcome to the HIPAA PASS Webinar! - HealthInsighthealthinsight.org › files › HIPAA PASS › Educational... · Welcome to the HIPAA PASS Webinar! • Please keep yourself muted](https://reader036.fdocuments.net/reader036/viewer/2022081406/5f100f2d7e708231d4473e52/html5/thumbnails/8.jpg)
![Page 9: Welcome to the HIPAA PASS Webinar! - HealthInsighthealthinsight.org › files › HIPAA PASS › Educational... · Welcome to the HIPAA PASS Webinar! • Please keep yourself muted](https://reader036.fdocuments.net/reader036/viewer/2022081406/5f100f2d7e708231d4473e52/html5/thumbnails/9.jpg)
Deadline coming soon!
![Page 10: Welcome to the HIPAA PASS Webinar! - HealthInsighthealthinsight.org › files › HIPAA PASS › Educational... · Welcome to the HIPAA PASS Webinar! • Please keep yourself muted](https://reader036.fdocuments.net/reader036/viewer/2022081406/5f100f2d7e708231d4473e52/html5/thumbnails/10.jpg)
Essential HIPAA Terms to Know
![Page 11: Welcome to the HIPAA PASS Webinar! - HealthInsighthealthinsight.org › files › HIPAA PASS › Educational... · Welcome to the HIPAA PASS Webinar! • Please keep yourself muted](https://reader036.fdocuments.net/reader036/viewer/2022081406/5f100f2d7e708231d4473e52/html5/thumbnails/11.jpg)
Covered Entities (CE)
• Includes health plans, health care clearinghouses and most health care providers
• Applies to most health care providers because they transmit health information electronically (e.g. billing)
![Page 12: Welcome to the HIPAA PASS Webinar! - HealthInsighthealthinsight.org › files › HIPAA PASS › Educational... · Welcome to the HIPAA PASS Webinar! • Please keep yourself muted](https://reader036.fdocuments.net/reader036/viewer/2022081406/5f100f2d7e708231d4473e52/html5/thumbnails/12.jpg)
Business Associates (BA)
• Individuals and organizations that perform services for or on behalf of your practice that involve routine access to Protected Health Information (PHI)
![Page 13: Welcome to the HIPAA PASS Webinar! - HealthInsighthealthinsight.org › files › HIPAA PASS › Educational... · Welcome to the HIPAA PASS Webinar! • Please keep yourself muted](https://reader036.fdocuments.net/reader036/viewer/2022081406/5f100f2d7e708231d4473e52/html5/thumbnails/13.jpg)
Protected Health Information (PHI)
Refers to individually identifiable health information that relates to the individual’s past, present, or future physical or mental condition, including the provision of health care to the individual, that is• Transmitted by electronic media• Maintained in electronic media• Transmitted or maintained in any other form
or medium
![Page 14: Welcome to the HIPAA PASS Webinar! - HealthInsighthealthinsight.org › files › HIPAA PASS › Educational... · Welcome to the HIPAA PASS Webinar! • Please keep yourself muted](https://reader036.fdocuments.net/reader036/viewer/2022081406/5f100f2d7e708231d4473e52/html5/thumbnails/14.jpg)
Confidentiality, Integrity, Availability
![Page 15: Welcome to the HIPAA PASS Webinar! - HealthInsighthealthinsight.org › files › HIPAA PASS › Educational... · Welcome to the HIPAA PASS Webinar! • Please keep yourself muted](https://reader036.fdocuments.net/reader036/viewer/2022081406/5f100f2d7e708231d4473e52/html5/thumbnails/15.jpg)
HIPAA Privacy Rule
• Establishes standards for the use and disclosure of PHI
• Protects PHI whether electronic, oral or paper• Establishes standards for providing patient
rights• Outlines civil and criminal penalties for failure
to comply
![Page 16: Welcome to the HIPAA PASS Webinar! - HealthInsighthealthinsight.org › files › HIPAA PASS › Educational... · Welcome to the HIPAA PASS Webinar! • Please keep yourself muted](https://reader036.fdocuments.net/reader036/viewer/2022081406/5f100f2d7e708231d4473e52/html5/thumbnails/16.jpg)
Examples of Patient Rights
• The right to inspect, review and receive a copy of their health information
• The right to request amendments• The right to an accounting of disclosures• The right to confidential communications• Access to Notice of Privacy Practice
![Page 17: Welcome to the HIPAA PASS Webinar! - HealthInsighthealthinsight.org › files › HIPAA PASS › Educational... · Welcome to the HIPAA PASS Webinar! • Please keep yourself muted](https://reader036.fdocuments.net/reader036/viewer/2022081406/5f100f2d7e708231d4473e52/html5/thumbnails/17.jpg)
HIPAA Security Rule
• Protects individuals’ electronic PHI that is created, received, maintained or transmitted by CE
• Protects confidentiality, integrity and availability (CIA) of ePHI
• Consists of administrative, physical and technical safeguards
![Page 18: Welcome to the HIPAA PASS Webinar! - HealthInsighthealthinsight.org › files › HIPAA PASS › Educational... · Welcome to the HIPAA PASS Webinar! • Please keep yourself muted](https://reader036.fdocuments.net/reader036/viewer/2022081406/5f100f2d7e708231d4473e52/html5/thumbnails/18.jpg)
Breach Notification Rule
• Requires CE’s to promptly notify individuals and the Secretary of HHS of the compromise of unsecured PHI
![Page 19: Welcome to the HIPAA PASS Webinar! - HealthInsighthealthinsight.org › files › HIPAA PASS › Educational... · Welcome to the HIPAA PASS Webinar! • Please keep yourself muted](https://reader036.fdocuments.net/reader036/viewer/2022081406/5f100f2d7e708231d4473e52/html5/thumbnails/19.jpg)
Every Organization Faces Risk
Clinical teams manage risk on a daily basis, yet information risk management programs are often not as formal as needed.
![Page 20: Welcome to the HIPAA PASS Webinar! - HealthInsighthealthinsight.org › files › HIPAA PASS › Educational... · Welcome to the HIPAA PASS Webinar! • Please keep yourself muted](https://reader036.fdocuments.net/reader036/viewer/2022081406/5f100f2d7e708231d4473e52/html5/thumbnails/20.jpg)
Privacy and Security Starts at the Top
• Designate a privacy and security officer• Make sure that each has a job description• Select a qualified professional to assist you
with the Security Risk Analysis• Promote a culture of protecting patient
privacy
![Page 21: Welcome to the HIPAA PASS Webinar! - HealthInsighthealthinsight.org › files › HIPAA PASS › Educational... · Welcome to the HIPAA PASS Webinar! • Please keep yourself muted](https://reader036.fdocuments.net/reader036/viewer/2022081406/5f100f2d7e708231d4473e52/html5/thumbnails/21.jpg)
Security Officer: Is responsible for the design, implementation, management and review of the orgs security policies, standards, procedures, baselines and guidelines. Directs, coordinates and organizes information security activities throughout the organization.
Privacy Officer: Is responsible for reviewing organization practice and procedures to ensure the compliance with the relevant privacy laws and policies. The privacy officer will be able to make recommendations to prevent incidents of compromise and misuse of health or personal information.
![Page 22: Welcome to the HIPAA PASS Webinar! - HealthInsighthealthinsight.org › files › HIPAA PASS › Educational... · Welcome to the HIPAA PASS Webinar! • Please keep yourself muted](https://reader036.fdocuments.net/reader036/viewer/2022081406/5f100f2d7e708231d4473e52/html5/thumbnails/22.jpg)
Document Your Process, Findings and Actions
• Records will be essential if you are audited• Good faith effort can be the difference
between a corrective action plan (CAP) and a fine
• Maintain records for six years
![Page 23: Welcome to the HIPAA PASS Webinar! - HealthInsighthealthinsight.org › files › HIPAA PASS › Educational... · Welcome to the HIPAA PASS Webinar! • Please keep yourself muted](https://reader036.fdocuments.net/reader036/viewer/2022081406/5f100f2d7e708231d4473e52/html5/thumbnails/23.jpg)
Examples of Documentation to Keep
• Completed checklists• Security Risk Analysis report(s)• Risk management action plan• Business associate (BA) agreements• Trainings for staff• System monitoring results• Policies and procedures• Meeting minutes
![Page 24: Welcome to the HIPAA PASS Webinar! - HealthInsighthealthinsight.org › files › HIPAA PASS › Educational... · Welcome to the HIPAA PASS Webinar! • Please keep yourself muted](https://reader036.fdocuments.net/reader036/viewer/2022081406/5f100f2d7e708231d4473e52/html5/thumbnails/24.jpg)
Conduct a Security Risk Analysis
• An ongoing process to identify risks to confidentiality, integrity, availability
• It’s the first step towards Security Rule compliance• NOT optional – regardless of size• A checklist will not suffice• HHS recommends a nine step process as outlined in
NIST SP800-66• Consistently review/update and keep documentation• Soak up the education
![Page 25: Welcome to the HIPAA PASS Webinar! - HealthInsighthealthinsight.org › files › HIPAA PASS › Educational... · Welcome to the HIPAA PASS Webinar! • Please keep yourself muted](https://reader036.fdocuments.net/reader036/viewer/2022081406/5f100f2d7e708231d4473e52/html5/thumbnails/25.jpg)
Develop an Action Plan(Risk Management Plan)
• Use Security Risk Analysis to identify threats and vulnerabilities
• Focus on high priorities and low hanging fruit• Identify what needs to be done• Who is going to do it• When will it be done• The plan must include the following five
components:
![Page 26: Welcome to the HIPAA PASS Webinar! - HealthInsighthealthinsight.org › files › HIPAA PASS › Educational... · Welcome to the HIPAA PASS Webinar! • Please keep yourself muted](https://reader036.fdocuments.net/reader036/viewer/2022081406/5f100f2d7e708231d4473e52/html5/thumbnails/26.jpg)
1) Physical Safeguards
• Facility security - Is the server room locked, who has keys to the building?
• Workstation and office security - Are passwords written on a sticky note, do workstations auto log-off?
• Protecting portable devices
![Page 27: Welcome to the HIPAA PASS Webinar! - HealthInsighthealthinsight.org › files › HIPAA PASS › Educational... · Welcome to the HIPAA PASS Webinar! • Please keep yourself muted](https://reader036.fdocuments.net/reader036/viewer/2022081406/5f100f2d7e708231d4473e52/html5/thumbnails/27.jpg)
2) Administrative Safeguards
• Designated security officer• Workforce training and oversight• Controlling information access• Periodic security reassessment
![Page 28: Welcome to the HIPAA PASS Webinar! - HealthInsighthealthinsight.org › files › HIPAA PASS › Educational... · Welcome to the HIPAA PASS Webinar! • Please keep yourself muted](https://reader036.fdocuments.net/reader036/viewer/2022081406/5f100f2d7e708231d4473e52/html5/thumbnails/28.jpg)
3) Technical Safeguards
• Controls on access to electronic health record (EHR) and other software
• Use of audit logs to monitor activities• Secure exchanges of electronic data
![Page 29: Welcome to the HIPAA PASS Webinar! - HealthInsighthealthinsight.org › files › HIPAA PASS › Educational... · Welcome to the HIPAA PASS Webinar! • Please keep yourself muted](https://reader036.fdocuments.net/reader036/viewer/2022081406/5f100f2d7e708231d4473e52/html5/thumbnails/29.jpg)
4) Policies and Procedures
• Establish protocols for administrative, physical and technical safeguards
• Specify individual patient rights• Documented incident response plans • Processes for breach notification and
sanctions
![Page 30: Welcome to the HIPAA PASS Webinar! - HealthInsighthealthinsight.org › files › HIPAA PASS › Educational... · Welcome to the HIPAA PASS Webinar! • Please keep yourself muted](https://reader036.fdocuments.net/reader036/viewer/2022081406/5f100f2d7e708231d4473e52/html5/thumbnails/30.jpg)
4) Policies and Procedures Cont.
• Train staff on policies and procedures• Consistently apply policies and procedures• Periodically review and update policies and
procedures• Retain old policies and procedures for six
years after they have been updated or replaced
![Page 31: Welcome to the HIPAA PASS Webinar! - HealthInsighthealthinsight.org › files › HIPAA PASS › Educational... · Welcome to the HIPAA PASS Webinar! • Please keep yourself muted](https://reader036.fdocuments.net/reader036/viewer/2022081406/5f100f2d7e708231d4473e52/html5/thumbnails/31.jpg)
5) Organizational Requirements
• Breach notification and associated policies, are they in place and have staff been trained?
• BA agreements, are they in place and is the BA aware of their responsibilities?
![Page 32: Welcome to the HIPAA PASS Webinar! - HealthInsighthealthinsight.org › files › HIPAA PASS › Educational... · Welcome to the HIPAA PASS Webinar! • Please keep yourself muted](https://reader036.fdocuments.net/reader036/viewer/2022081406/5f100f2d7e708231d4473e52/html5/thumbnails/32.jpg)
Less than two weeks ago…
![Page 33: Welcome to the HIPAA PASS Webinar! - HealthInsighthealthinsight.org › files › HIPAA PASS › Educational... · Welcome to the HIPAA PASS Webinar! • Please keep yourself muted](https://reader036.fdocuments.net/reader036/viewer/2022081406/5f100f2d7e708231d4473e52/html5/thumbnails/33.jpg)
Business Associates
• Responsibilities are very similar to those of a Covered Entity (CE)
• CE is responsible for obtaining a Business Associate Agreement (BAA) obligating the BA to safeguard PHI
• Breach notification requirements must be met• The Covered Entity must respond to non-
compliance of the Business Associate
![Page 34: Welcome to the HIPAA PASS Webinar! - HealthInsighthealthinsight.org › files › HIPAA PASS › Educational... · Welcome to the HIPAA PASS Webinar! • Please keep yourself muted](https://reader036.fdocuments.net/reader036/viewer/2022081406/5f100f2d7e708231d4473e52/html5/thumbnails/34.jpg)
Organizations frequently underestimate the proliferation of ePHI within their environments.
![Page 35: Welcome to the HIPAA PASS Webinar! - HealthInsighthealthinsight.org › files › HIPAA PASS › Educational... · Welcome to the HIPAA PASS Webinar! • Please keep yourself muted](https://reader036.fdocuments.net/reader036/viewer/2022081406/5f100f2d7e708231d4473e52/html5/thumbnails/35.jpg)
HIPAA Compliance for You
![Page 36: Welcome to the HIPAA PASS Webinar! - HealthInsighthealthinsight.org › files › HIPAA PASS › Educational... · Welcome to the HIPAA PASS Webinar! • Please keep yourself muted](https://reader036.fdocuments.net/reader036/viewer/2022081406/5f100f2d7e708231d4473e52/html5/thumbnails/36.jpg)
Keep Up With the Changes
• Join the OCR Privacy and Security Listservshttp://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/listserv.html
![Page 39: Welcome to the HIPAA PASS Webinar! - HealthInsighthealthinsight.org › files › HIPAA PASS › Educational... · Welcome to the HIPAA PASS Webinar! • Please keep yourself muted](https://reader036.fdocuments.net/reader036/viewer/2022081406/5f100f2d7e708231d4473e52/html5/thumbnails/39.jpg)
Presenters contact information:
Mark Norby, [email protected](307) 258-5322
Susan [email protected](307) 248-8179
Questions?
39