SlideShare une entreprise Scribd logo

HIPAA and HITECH : What you need to know

Shred-it
Shred-it

This presentation discusses how to comply with HIPAA and HITECH privacy laws. Learn key terms such as Protected Health Information, the Privacy Rule and the Security Rule as well as major changes brought by HIPAA and HITECH.

TechnologieBusiness
1  sur  25
Télécharger pour lire hors ligne
HIPAA and HITECH What You Need to Know
Today's Presenters Andrew Lenardon, Director of National Accounts Indirect Solutions for North America at Shred-it Andrew Lenardon is the Director of National Accounts Indirect Solutions for North America at Shred-it International,Inc., where he brings over 15 years of sales and leadership experience. In his role, Lenardon leads a team of professionals in helping Healthcare and Enterprise client improve the security of how they handle confidential records and identify wasteful spending that can be shifted to priorities such as information security, compliance efforts and business efficiency. Lenardon has worked at Shred-it since 2006. A graduate from McMaster University, Lenardon holds a B.Sc. in Biochemistry and currently resides in Toronto, Canada. Chris Sheehan, Compliance Agent, Providence, Rhode Island Chris has a combined 17 years of experience in the Records Management & Information Security industries. In the past he has served on the Board of Directors and Vice President for ARMA (Association for Records Managers & Administrators). For the last five years Chris has worked with the Federal & State governments in implementing policies to assist with the prevention of Fraud and the protection of Identity. Certified in Mass Law with regard to Mass Reg 201 CMR 17:00 Chris conducts Compliance Training for clients and assists with developing their Written Information Security Plan (WISP). Chris conducts Information Sessions for a number of Colleges and Universities to future educate Administrators, faculty and the student body on information security and sustainability for saving the Environment. David Pinter, National Accounts Executive David began his career at Shred-it over 12 years ago. He has been assisting healthcare organizations with their compliance and document security efforts since 2003 when HIPAA was first launched. David is a member of Shred-it’s National Accounts Healthcare Team where he provides new business development support and consulting activities for customers in the Healthcare and Group Purchase Organization spaces. 2
Protecting Patient Privacy – how important is it? 3
What is HIPAA? • Health Insurance Portability and Accountability Act (HIPAA) HIPAA requires health care organizations to have and maintain safeguards to prevent intentional or unintentional use or disclosure of protected health information. • The Federal law that requires health care organizations to, “maintain reasonable and appropriate, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information.” • Specifically, the management of private information is detailed through the Privacy Rule and the Security Rule. Both rules are designed to protect an individual’s private and confidential information by standardizing the rules for how it is used, handled, stored, etc. 4
What is HITECH? • The Health Information Technology for Economic and Clinical Health (HITECH) Act includes rules that impact organizations that operate within HIPAA legislation. • It is in direct relation to HIPAA because it imposes standards on medical and healthcare organizations (business associates) in addition to those that are imposed by HIPAA (CE’s). It was part of the Reinvestment Act of 2009. • This act requires that all organizations in the medical field apply “meaningful use” of technology that demonstrates security efforts. This ensures that the confidentiality, integrity and availability of protected data is not compromised. 5
Major Changes Brought on by HITECH Since 2009 •Enforcement has become more proactive; meaning there are more penalties for smaller breaches and more parties. •Data that falls under the scope of protection is now grown to include other personal information beyond EPHI. •Stricter audits are now in practice. •Every consumer now has a right to own a copy of their PHI without paying a fee. •Business Associates are now required to comply with this act, not just Covered Entities. •There are now more restrictions on the use of protected health information for marketing purposes. 6
Key Terms • PHI and EPHI • Covered Entity and Business Associate • Security Rule and Privacy Rule • Common Control • Willful Neglect 7
PHI and EPHI PHI: Protected Health Information EPHI: PHI that has been converted in some way to electronic media 8
What is Considered PHI? • Medical records • Diagnosis of a certain condition • Procedure codes on claim forms • Claims data or information • Explanation of Benefits (EOB) • Pre-authorization forms • Crime reports • Coordination of benefit forms • Enrolment information and forms • Election forms • Reimbursement request forms • Records indicating payment • Claims denial and appeal information 9
Covered Entity and Business Associate Covered Entities (CE’s) include health care providers, health care clearinghouses, and health plans that electronically store, process or transmit electronic protected information (EPHI). Business Associates (BA’s) are parties that include any person or group that provides or facilitates for a covered entity in some way. 10
Privacy Rule & Security Rule • The Privacy Rule • Establishes national standards to protect individuals’ medical records and other personal health information • Applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically • Requires appropriate safeguards to protect the privacy of personal health information • Sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization • Gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections • The Security Rule • Establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity • Requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information 11
What is Common Control? •A situation where a covered entity has indirect or direct power or influence over another entity’s actions or policies. •It places the onus on the CE to ensure that the outside BA they contracted is taking the necessary safe guards and actions to protect the PHI of individuals. 12
What is Willful Neglect? • Defined as “A tendency to be negligent and uncaring” • In the context of HIPAA and HITECH the terms differs from case to case. • With regards to the health care industry, willful neglect is a failure to comply or perform certain necessary tasks that is either intentional or conscious. • HITECH brought in harsher penalties for willful neglect. 13
How do organizations and individuals comply? • Companies should explore the requirements of HIPAA Privacy and Security Rules. • Health care organizations must implement policies and procedures related to accessing information. • Business associates must adopt HIPAA-compliant practices. 14
Why is compliance important? Patient privacy is very important and people have the expectation that health care organizations keep their information secure and private. They expect that their information will be safe from breaches. Not only is compliance important for the patient’s sake, but for the company’s own interests as well. Not only is your reputation at risk of being damaged, but cases of willful neglect in HITECH can be vulnerable to a penalty of AT LEAST $50,000.00 per violation for a total of $1.5 million in a calendar year. Compliance is important on many levels regardless of the circumstances. 15
What happens if you don’t comply? There are different penalties put into place by HIPAA and HITECH depending on the circumstances and situation. Since HITECH came into the picture in 2009, the penalties have become harsher and less forgiving. 16
Security Breach A major insurance coverer in Tennessee had a massive breach in 2009 which affected over 1 million people. They settled in court as of this year with a settlement of $1.5 million •It involved the theft of 57 unencrypted computer hard-drives On those hard-drives were: •Members names •Social Security Numbers •Diagnosis Codes •Date of birth’s •Health plan ID numbers •The investigation showed a lack of and failure of implementation of an appropriate safe guards for information. Not only digital but physical safe guards are required by HIPAA/HITECH and were missing in this situation. •The Company spent almost $17 million attempting to rectify the situation 17
What are the Penalties? 18
If a person… They will be fined… Or face Imprisonment of… Causes, uses or Up to $50,000.00 1 Year obtains individually identifiable information Commits an offense Up to $100,000.00 5 Years under false pretences If a person Commits Up to $250,000.00 10 Years an offense with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm. 19
What are some ways that you can avoid a violation or a breach? Here are Some Tips for Best Practice… 20
Best Practices Stay informed Learn about HIPAA and HITECH and other privacy laws that impact your organization, and how to stay compliant. Establish a security Document the flow of confidential plan information in your workplace, and make sure that you have formal security policies in place. Educate and enforce Train your employees to understand and follow your information security policies. Update staff on a regular basis and post your policy and guidelines as frequent reminders. 21
Best Practices Limit access Only authorized personnel should handle confidential documents. Create a retention Determine which documents you must policy keep and for how long. Clearly mark a destruction date on all records in storage. Eliminate risk Introduce a Shred-All policy for all documents that are no longer needed, so that your employees do not have to decide what is – or isn’t – confidential. Secure destruction Partner with a knowledgeable industry leader that specializes in secure information destruction. 22
Who is Shred-it? • Shred-it specializes in providing a tailored information destruction service that allows businesses to comply with legislation and ensure that the client, employee and confidential business information is kept secure at all times. • Through our strict chain-of-custody processes, reliable on-time service and a global network of local service centers, Shred-it provides the most secure and efficient confidential information destruction service in the industry. 23
QUESTIONS? 24
Where can you find more information? Sources http://resource.shredit.com/LegislativeFactSheets http://www.healthcareinfosecurity.com/ http://www.hipaasurvivalguide.com/ http://www.hhs.gov/ http://www.datamountain.com/resources/hipaa- hitech-compliance/hipaa-hitech-faq/ 25

Recommandé

Hitech Act
Hitech ActHitech Act
Hitech ActDeborah Obasogie
 
Hitech Act
Hitech ActHitech Act
Hitech ActISACA New England
 
HIPAA & PHI Training
HIPAA & PHI TrainingHIPAA & PHI Training
HIPAA & PHI TrainingHatch Compliance, Inc.
 
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)Sanjeev Bharwan
 
HIPAA Complaince
HIPAA ComplainceHIPAA Complaince
HIPAA ComplainceFarhatParveen10
 
hitech act
hitech acthitech act
hitech actpadler01
 
HIPAA Compliance
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceManny Oliverez
 
HIPAA AND INFORMATION TECHNOLOGY
HIPAA AND INFORMATION TECHNOLOGYHIPAA AND INFORMATION TECHNOLOGY
HIPAA AND INFORMATION TECHNOLOGYmariaradziminski
 

Recommandé

Hitech Act
Hitech ActHitech Act
Hitech ActDeborah Obasogie
 
Hitech Act
Hitech ActHitech Act
Hitech ActISACA New England
 
HIPAA & PHI Training
HIPAA & PHI TrainingHIPAA & PHI Training
HIPAA & PHI TrainingHatch Compliance, Inc.
 
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)Sanjeev Bharwan
 
HIPAA Complaince
HIPAA ComplainceHIPAA Complaince
HIPAA ComplainceFarhatParveen10
 
hitech act
hitech acthitech act
hitech actpadler01
 
HIPAA Compliance
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceManny Oliverez
 
HIPAA AND INFORMATION TECHNOLOGY
HIPAA AND INFORMATION TECHNOLOGYHIPAA AND INFORMATION TECHNOLOGY
HIPAA AND INFORMATION TECHNOLOGYmariaradziminski
 
Presentation hippa
Presentation hippaPresentation hippa
Presentation hippamaggie_Platt
 
Keys To HIPAA Compliance
Keys To HIPAA ComplianceKeys To HIPAA Compliance
Keys To HIPAA ComplianceCBIZ, Inc.
 
HIPAA Privacy & Security
HIPAA Privacy & SecurityHIPAA Privacy & Security
HIPAA Privacy & SecurityNational Pharmacy Technician Association
 
Enhancing Competitive Advantage through Improved HEDIS Reporting and NCQA Rat...
Enhancing Competitive Advantage through Improved HEDIS Reporting and NCQA Rat...Enhancing Competitive Advantage through Improved HEDIS Reporting and NCQA Rat...
Enhancing Competitive Advantage through Improved HEDIS Reporting and NCQA Rat...CitiusTech
 
ISO IDMP: Practical considerations from XEVMPD experience
ISO IDMP: Practical considerations from XEVMPD experienceISO IDMP: Practical considerations from XEVMPD experience
ISO IDMP: Practical considerations from XEVMPD experienceQdossier B.V.
 
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Emerging Trends in Clinical Data Management
Emerging Trends in Clinical Data ManagementEmerging Trends in Clinical Data Management
Emerging Trends in Clinical Data ManagementArshad Mohammed
 
Providers in U.S Healthcare
Providers in U.S HealthcareProviders in U.S Healthcare
Providers in U.S HealthcareSugandha Dogra
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...Cvent
 
HIPAA in 2023: Changes, Updates, and Best Practices
HIPAA in 2023: Changes, Updates, and Best PracticesHIPAA in 2023: Changes, Updates, and Best Practices
HIPAA in 2023: Changes, Updates, and Best PracticesConference Panel
 
Impact of HEDIS on Health Plans
Impact of HEDIS on Health PlansImpact of HEDIS on Health Plans
Impact of HEDIS on Health PlansCitiusTech
 
FDA 2013 Clinical Investigator Training Course: Safety Assessment in Clinical...
FDA 2013 Clinical Investigator Training Course: Safety Assessment in Clinical...FDA 2013 Clinical Investigator Training Course: Safety Assessment in Clinical...
FDA 2013 Clinical Investigator Training Course: Safety Assessment in Clinical...MedicReS
 
Electronic Medical Records - Paperless to Big Data Initiative
Electronic Medical Records - Paperless to Big Data InitiativeElectronic Medical Records - Paperless to Big Data Initiative
Electronic Medical Records - Paperless to Big Data InitiativeData Science Thailand
 
Pharmacovigilance Inspections
Pharmacovigilance InspectionsPharmacovigilance Inspections
Pharmacovigilance InspectionsIFAH
 
Electronic Data Capture & Remote Data Capture
Electronic Data Capture & Remote Data CaptureElectronic Data Capture & Remote Data Capture
Electronic Data Capture & Remote Data CaptureCRB Tech
 
eTMF Structure, Setup, and Implementation Case Study
eTMF Structure, Setup, and Implementation Case StudyeTMF Structure, Setup, and Implementation Case Study
eTMF Structure, Setup, and Implementation Case StudyAdair Turner, MS, RAC
 
Welcome to HIPAA Training
Welcome to HIPAA TrainingWelcome to HIPAA Training
Welcome to HIPAA TrainingJonathan Montes
 
safety-aggregate-reporting-and-analytics-aag
safety-aggregate-reporting-and-analytics-aagsafety-aggregate-reporting-and-analytics-aag
safety-aggregate-reporting-and-analytics-aagSaba Anwer, MPH, MBA
 
Hipaa overview 073118
Hipaa overview 073118Hipaa overview 073118
Hipaa overview 073118robint2125
 
The Canadian healthcare system: May 20, 2011
The Canadian healthcare system: May 20, 2011The Canadian healthcare system: May 20, 2011
The Canadian healthcare system: May 20, 2011CFHI-FCASS
 
HIPAA Audit Implementation
HIPAA Audit ImplementationHIPAA Audit Implementation
HIPAA Audit ImplementationValency Networks
 
The Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceThe Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceJim Anfield
 

Contenu connexe

Tendances

Presentation hippa
Presentation hippaPresentation hippa
Presentation hippamaggie_Platt
 
Keys To HIPAA Compliance
Keys To HIPAA ComplianceKeys To HIPAA Compliance
Keys To HIPAA ComplianceCBIZ, Inc.
 
Enhancing Competitive Advantage through Improved HEDIS Reporting and NCQA Rat...
Enhancing Competitive Advantage through Improved HEDIS Reporting and NCQA Rat...Enhancing Competitive Advantage through Improved HEDIS Reporting and NCQA Rat...
Enhancing Competitive Advantage through Improved HEDIS Reporting and NCQA Rat...CitiusTech
 
ISO IDMP: Practical considerations from XEVMPD experience
ISO IDMP: Practical considerations from XEVMPD experienceISO IDMP: Practical considerations from XEVMPD experience
ISO IDMP: Practical considerations from XEVMPD experienceQdossier B.V.
 
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Emerging Trends in Clinical Data Management
Emerging Trends in Clinical Data ManagementEmerging Trends in Clinical Data Management
Emerging Trends in Clinical Data ManagementArshad Mohammed
 
Providers in U.S Healthcare
Providers in U.S HealthcareProviders in U.S Healthcare
Providers in U.S HealthcareSugandha Dogra
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...Cvent
 
HIPAA in 2023: Changes, Updates, and Best Practices
HIPAA in 2023: Changes, Updates, and Best PracticesHIPAA in 2023: Changes, Updates, and Best Practices
HIPAA in 2023: Changes, Updates, and Best PracticesConference Panel
 
Impact of HEDIS on Health Plans
Impact of HEDIS on Health PlansImpact of HEDIS on Health Plans
Impact of HEDIS on Health PlansCitiusTech
 
FDA 2013 Clinical Investigator Training Course: Safety Assessment in Clinical...
FDA 2013 Clinical Investigator Training Course: Safety Assessment in Clinical...FDA 2013 Clinical Investigator Training Course: Safety Assessment in Clinical...
FDA 2013 Clinical Investigator Training Course: Safety Assessment in Clinical...MedicReS
 
Electronic Medical Records - Paperless to Big Data Initiative
Electronic Medical Records - Paperless to Big Data InitiativeElectronic Medical Records - Paperless to Big Data Initiative
Electronic Medical Records - Paperless to Big Data InitiativeData Science Thailand
 
Pharmacovigilance Inspections
Pharmacovigilance InspectionsPharmacovigilance Inspections
Pharmacovigilance InspectionsIFAH
 
Electronic Data Capture & Remote Data Capture
Electronic Data Capture & Remote Data CaptureElectronic Data Capture & Remote Data Capture
Electronic Data Capture & Remote Data CaptureCRB Tech
 
eTMF Structure, Setup, and Implementation Case Study
eTMF Structure, Setup, and Implementation Case StudyeTMF Structure, Setup, and Implementation Case Study
eTMF Structure, Setup, and Implementation Case StudyAdair Turner, MS, RAC
 
Welcome to HIPAA Training
Welcome to HIPAA TrainingWelcome to HIPAA Training
Welcome to HIPAA TrainingJonathan Montes
 
safety-aggregate-reporting-and-analytics-aag
safety-aggregate-reporting-and-analytics-aagsafety-aggregate-reporting-and-analytics-aag
safety-aggregate-reporting-and-analytics-aagSaba Anwer, MPH, MBA
 
Hipaa overview 073118
Hipaa overview 073118Hipaa overview 073118
Hipaa overview 073118robint2125
 
The Canadian healthcare system: May 20, 2011
The Canadian healthcare system: May 20, 2011The Canadian healthcare system: May 20, 2011
The Canadian healthcare system: May 20, 2011CFHI-FCASS
 

Tendances (20)

Presentation hippa
Presentation hippaPresentation hippa
Presentation hippa
 
Keys To HIPAA Compliance
Keys To HIPAA ComplianceKeys To HIPAA Compliance
Keys To HIPAA Compliance
 
HIPAA Privacy & Security
HIPAA Privacy & SecurityHIPAA Privacy & Security
HIPAA Privacy & Security
 
Enhancing Competitive Advantage through Improved HEDIS Reporting and NCQA Rat...
Enhancing Competitive Advantage through Improved HEDIS Reporting and NCQA Rat...Enhancing Competitive Advantage through Improved HEDIS Reporting and NCQA Rat...
Enhancing Competitive Advantage through Improved HEDIS Reporting and NCQA Rat...
 
ISO IDMP: Practical considerations from XEVMPD experience
ISO IDMP: Practical considerations from XEVMPD experienceISO IDMP: Practical considerations from XEVMPD experience
ISO IDMP: Practical considerations from XEVMPD experience
 
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Emerging Trends in Clinical Data Management
Emerging Trends in Clinical Data ManagementEmerging Trends in Clinical Data Management
Emerging Trends in Clinical Data Management
 
Providers in U.S Healthcare
Providers in U.S HealthcareProviders in U.S Healthcare
Providers in U.S Healthcare
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...
 
HIPAA in 2023: Changes, Updates, and Best Practices
HIPAA in 2023: Changes, Updates, and Best PracticesHIPAA in 2023: Changes, Updates, and Best Practices
HIPAA in 2023: Changes, Updates, and Best Practices
 
Impact of HEDIS on Health Plans
Impact of HEDIS on Health PlansImpact of HEDIS on Health Plans
Impact of HEDIS on Health Plans
 
FDA 2013 Clinical Investigator Training Course: Safety Assessment in Clinical...
FDA 2013 Clinical Investigator Training Course: Safety Assessment in Clinical...FDA 2013 Clinical Investigator Training Course: Safety Assessment in Clinical...
FDA 2013 Clinical Investigator Training Course: Safety Assessment in Clinical...
 
Electronic Medical Records - Paperless to Big Data Initiative
Electronic Medical Records - Paperless to Big Data InitiativeElectronic Medical Records - Paperless to Big Data Initiative
Electronic Medical Records - Paperless to Big Data Initiative
 
Pharmacovigilance Inspections
Pharmacovigilance InspectionsPharmacovigilance Inspections
Pharmacovigilance Inspections
 
Electronic Data Capture & Remote Data Capture
Electronic Data Capture & Remote Data CaptureElectronic Data Capture & Remote Data Capture
Electronic Data Capture & Remote Data Capture
 
eTMF Structure, Setup, and Implementation Case Study
eTMF Structure, Setup, and Implementation Case StudyeTMF Structure, Setup, and Implementation Case Study
eTMF Structure, Setup, and Implementation Case Study
 
Welcome to HIPAA Training
Welcome to HIPAA TrainingWelcome to HIPAA Training
Welcome to HIPAA Training
 
safety-aggregate-reporting-and-analytics-aag
safety-aggregate-reporting-and-analytics-aagsafety-aggregate-reporting-and-analytics-aag
safety-aggregate-reporting-and-analytics-aag
 
Hipaa overview 073118
Hipaa overview 073118Hipaa overview 073118
Hipaa overview 073118
 
The Canadian healthcare system: May 20, 2011
The Canadian healthcare system: May 20, 2011The Canadian healthcare system: May 20, 2011
The Canadian healthcare system: May 20, 2011
 

Similaire à HIPAA and HITECH : What you need to know

HIPAA Audit Implementation
HIPAA Audit ImplementationHIPAA Audit Implementation
HIPAA Audit ImplementationValency Networks
 
The Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceThe Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceJim Anfield
 
HIPAA Panel Discussion
HIPAA Panel Discussion HIPAA Panel Discussion
HIPAA Panel Discussion Dan Wellisch
 
HIPAA and FDCPA Compliance for Process Servers
HIPAA and FDCPA Compliance for Process ServersHIPAA and FDCPA Compliance for Process Servers
HIPAA and FDCPA Compliance for Process ServersLawgical
 
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...Health IT Conference – iHT2
 
Health Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
Health Insurance Portability and Accountability Act (HIPPA) - KloudlearnHealth Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
Health Insurance Portability and Accountability Act (HIPPA) - KloudlearnKloudLearn
 
Hitech changes-to-hipaa
Hitech changes-to-hipaaHitech changes-to-hipaa
Hitech changes-to-hipaageeksikh
 
health insurance portability and accountability act.pptx
health insurance portability and accountability act.pptxhealth insurance portability and accountability act.pptx
health insurance portability and accountability act.pptxamartya2087
 
Mha690 brittany koenig week 1 assignment2
Mha690 brittany koenig week 1 assignment2Mha690 brittany koenig week 1 assignment2
Mha690 brittany koenig week 1 assignment2bkoenig2010
 
Mha690 brittany koenig week 1 assignment2
Mha690 brittany koenig week 1 assignment2Mha690 brittany koenig week 1 assignment2
Mha690 brittany koenig week 1 assignment2bkoenig2010
 
Knowing confidentiality
Knowing confidentialityKnowing confidentiality
Knowing confidentialityjessie66
 
Privacy & security training.pptx
Privacy & security training.pptxPrivacy & security training.pptx
Privacy & security training.pptxQmcleod
 
Privacy & security training.pptx
Privacy & security training.pptxPrivacy & security training.pptx
Privacy & security training.pptxQmcleod
 
HIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of ComplianceHIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of ComplianceJay Hodes
 
Hipaa.ppt3
Hipaa.ppt3Hipaa.ppt3
Hipaa.ppt3akwei2
 
Hipaa.ppt5
Hipaa.ppt5Hipaa.ppt5
Hipaa.ppt5akwei2
 
Hipaa.ppt4
Hipaa.ppt4Hipaa.ppt4
Hipaa.ppt4akwei2
 

Similaire à HIPAA and HITECH : What you need to know (20)

HIPAA Audit Implementation
HIPAA Audit ImplementationHIPAA Audit Implementation
HIPAA Audit Implementation
 
The Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceThe Startup Path to HIPAA Compliance
The Startup Path to HIPAA Compliance
 
HIPAA Panel Discussion
HIPAA Panel Discussion HIPAA Panel Discussion
HIPAA Panel Discussion
 
Hipaa for business associates simple
Hipaa for business associates simpleHipaa for business associates simple
Hipaa for business associates simple
 
HIPAA and FDCPA Compliance for Process Servers
HIPAA and FDCPA Compliance for Process ServersHIPAA and FDCPA Compliance for Process Servers
HIPAA and FDCPA Compliance for Process Servers
 
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
 
Health Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
Health Insurance Portability and Accountability Act (HIPPA) - KloudlearnHealth Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
Health Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
 
Hitech changes-to-hipaa
Hitech changes-to-hipaaHitech changes-to-hipaa
Hitech changes-to-hipaa
 
health insurance portability and accountability act.pptx
health insurance portability and accountability act.pptxhealth insurance portability and accountability act.pptx
health insurance portability and accountability act.pptx
 
Mha690 brittany koenig week 1 assignment2
Mha690 brittany koenig week 1 assignment2Mha690 brittany koenig week 1 assignment2
Mha690 brittany koenig week 1 assignment2
 
Mha690 brittany koenig week 1 assignment2
Mha690 brittany koenig week 1 assignment2Mha690 brittany koenig week 1 assignment2
Mha690 brittany koenig week 1 assignment2
 
Knowing confidentiality
Knowing confidentialityKnowing confidentiality
Knowing confidentiality
 
Data Management Protection Acts
Data Management Protection ActsData Management Protection Acts
Data Management Protection Acts
 
Annual HIPAA Training
Annual HIPAA TrainingAnnual HIPAA Training
Annual HIPAA Training
 
Privacy & security training.pptx
Privacy & security training.pptxPrivacy & security training.pptx
Privacy & security training.pptx
 
Privacy & security training.pptx
Privacy & security training.pptxPrivacy & security training.pptx
Privacy & security training.pptx
 
HIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of ComplianceHIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of Compliance
 
Hipaa.ppt3
Hipaa.ppt3Hipaa.ppt3
Hipaa.ppt3
 
Hipaa.ppt5
Hipaa.ppt5Hipaa.ppt5
Hipaa.ppt5
 
Hipaa.ppt4
Hipaa.ppt4Hipaa.ppt4
Hipaa.ppt4
 

Plus de Shred-it

Lifecycle of a Document
Lifecycle of a Document Lifecycle of a Document
Lifecycle of a Document Shred-it
 
Recycling Shredded Paper
Recycling Shredded PaperRecycling Shredded Paper
Recycling Shredded PaperShred-it
 
Security Tracker 2012 - U.S.
Security Tracker 2012 - U.S.Security Tracker 2012 - U.S.
Security Tracker 2012 - U.S.Shred-it
 
Every Workplace Needs to Reduce Risk of Data Breaches – Including Government ...
Every Workplace Needs to Reduce Risk of Data Breaches – Including Government ...Every Workplace Needs to Reduce Risk of Data Breaches – Including Government ...
Every Workplace Needs to Reduce Risk of Data Breaches – Including Government ...Shred-it
 
50 Security Tips – Part 2
50 Security Tips – Part 250 Security Tips – Part 2
50 Security Tips – Part 2Shred-it
 
50 Security Tips – Part 1
50 Security Tips – Part 1 50 Security Tips – Part 1
50 Security Tips – Part 1 Shred-it
 
Your Employees and Information Security
Your Employees and Information SecurityYour Employees and Information Security
Your Employees and Information SecurityShred-it
 

Plus de Shred-it (7)

Lifecycle of a Document
Lifecycle of a Document Lifecycle of a Document
Lifecycle of a Document
 
Recycling Shredded Paper
Recycling Shredded PaperRecycling Shredded Paper
Recycling Shredded Paper
 
Security Tracker 2012 - U.S.
Security Tracker 2012 - U.S.Security Tracker 2012 - U.S.
Security Tracker 2012 - U.S.
 
Every Workplace Needs to Reduce Risk of Data Breaches – Including Government ...
Every Workplace Needs to Reduce Risk of Data Breaches – Including Government ...Every Workplace Needs to Reduce Risk of Data Breaches – Including Government ...
Every Workplace Needs to Reduce Risk of Data Breaches – Including Government ...
 
50 Security Tips – Part 2
50 Security Tips – Part 250 Security Tips – Part 2
50 Security Tips – Part 2
 
50 Security Tips – Part 1
50 Security Tips – Part 1 50 Security Tips – Part 1
50 Security Tips – Part 1
 
Your Employees and Information Security
Your Employees and Information SecurityYour Employees and Information Security
Your Employees and Information Security
 

Dernier

Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 

Dernier (20)

Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 

HIPAA and HITECH : What you need to know

  • 1. HIPAA and HITECH What You Need to Know
  • 2. Today's Presenters Andrew Lenardon, Director of National Accounts Indirect Solutions for North America at Shred-it Andrew Lenardon is the Director of National Accounts Indirect Solutions for North America at Shred-it International,Inc., where he brings over 15 years of sales and leadership experience. In his role, Lenardon leads a team of professionals in helping Healthcare and Enterprise client improve the security of how they handle confidential records and identify wasteful spending that can be shifted to priorities such as information security, compliance efforts and business efficiency. Lenardon has worked at Shred-it since 2006. A graduate from McMaster University, Lenardon holds a B.Sc. in Biochemistry and currently resides in Toronto, Canada. Chris Sheehan, Compliance Agent, Providence, Rhode Island Chris has a combined 17 years of experience in the Records Management & Information Security industries. In the past he has served on the Board of Directors and Vice President for ARMA (Association for Records Managers & Administrators). For the last five years Chris has worked with the Federal & State governments in implementing policies to assist with the prevention of Fraud and the protection of Identity. Certified in Mass Law with regard to Mass Reg 201 CMR 17:00 Chris conducts Compliance Training for clients and assists with developing their Written Information Security Plan (WISP). Chris conducts Information Sessions for a number of Colleges and Universities to future educate Administrators, faculty and the student body on information security and sustainability for saving the Environment. David Pinter, National Accounts Executive David began his career at Shred-it over 12 years ago. He has been assisting healthcare organizations with their compliance and document security efforts since 2003 when HIPAA was first launched. David is a member of Shred-it’s National Accounts Healthcare Team where he provides new business development support and consulting activities for customers in the Healthcare and Group Purchase Organization spaces. 2
  • 3. Protecting Patient Privacy – how important is it? 3
  • 4. What is HIPAA? • Health Insurance Portability and Accountability Act (HIPAA) HIPAA requires health care organizations to have and maintain safeguards to prevent intentional or unintentional use or disclosure of protected health information. • The Federal law that requires health care organizations to, “maintain reasonable and appropriate, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information.” • Specifically, the management of private information is detailed through the Privacy Rule and the Security Rule. Both rules are designed to protect an individual’s private and confidential information by standardizing the rules for how it is used, handled, stored, etc. 4
  • 5. What is HITECH? • The Health Information Technology for Economic and Clinical Health (HITECH) Act includes rules that impact organizations that operate within HIPAA legislation. • It is in direct relation to HIPAA because it imposes standards on medical and healthcare organizations (business associates) in addition to those that are imposed by HIPAA (CE’s). It was part of the Reinvestment Act of 2009. • This act requires that all organizations in the medical field apply “meaningful use” of technology that demonstrates security efforts. This ensures that the confidentiality, integrity and availability of protected data is not compromised. 5
  • 6. Major Changes Brought on by HITECH Since 2009 •Enforcement has become more proactive; meaning there are more penalties for smaller breaches and more parties. •Data that falls under the scope of protection is now grown to include other personal information beyond EPHI. •Stricter audits are now in practice. •Every consumer now has a right to own a copy of their PHI without paying a fee. •Business Associates are now required to comply with this act, not just Covered Entities. •There are now more restrictions on the use of protected health information for marketing purposes. 6
  • 7. Key Terms • PHI and EPHI • Covered Entity and Business Associate • Security Rule and Privacy Rule • Common Control • Willful Neglect 7
  • 8. PHI and EPHI PHI: Protected Health Information EPHI: PHI that has been converted in some way to electronic media 8
  • 9. What is Considered PHI? • Medical records • Diagnosis of a certain condition • Procedure codes on claim forms • Claims data or information • Explanation of Benefits (EOB) • Pre-authorization forms • Crime reports • Coordination of benefit forms • Enrolment information and forms • Election forms • Reimbursement request forms • Records indicating payment • Claims denial and appeal information 9
  • 10. Covered Entity and Business Associate Covered Entities (CE’s) include health care providers, health care clearinghouses, and health plans that electronically store, process or transmit electronic protected information (EPHI). Business Associates (BA’s) are parties that include any person or group that provides or facilitates for a covered entity in some way. 10
  • 11. Privacy Rule & Security Rule • The Privacy Rule • Establishes national standards to protect individuals’ medical records and other personal health information • Applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically • Requires appropriate safeguards to protect the privacy of personal health information • Sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization • Gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections • The Security Rule • Establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity • Requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information 11
  • 12. What is Common Control? •A situation where a covered entity has indirect or direct power or influence over another entity’s actions or policies. •It places the onus on the CE to ensure that the outside BA they contracted is taking the necessary safe guards and actions to protect the PHI of individuals. 12
  • 13. What is Willful Neglect? • Defined as “A tendency to be negligent and uncaring” • In the context of HIPAA and HITECH the terms differs from case to case. • With regards to the health care industry, willful neglect is a failure to comply or perform certain necessary tasks that is either intentional or conscious. • HITECH brought in harsher penalties for willful neglect. 13
  • 14. How do organizations and individuals comply? • Companies should explore the requirements of HIPAA Privacy and Security Rules. • Health care organizations must implement policies and procedures related to accessing information. • Business associates must adopt HIPAA-compliant practices. 14
  • 15. Why is compliance important? Patient privacy is very important and people have the expectation that health care organizations keep their information secure and private. They expect that their information will be safe from breaches. Not only is compliance important for the patient’s sake, but for the company’s own interests as well. Not only is your reputation at risk of being damaged, but cases of willful neglect in HITECH can be vulnerable to a penalty of AT LEAST $50,000.00 per violation for a total of $1.5 million in a calendar year. Compliance is important on many levels regardless of the circumstances. 15
  • 16. What happens if you don’t comply? There are different penalties put into place by HIPAA and HITECH depending on the circumstances and situation. Since HITECH came into the picture in 2009, the penalties have become harsher and less forgiving. 16
  • 17. Security Breach A major insurance coverer in Tennessee had a massive breach in 2009 which affected over 1 million people. They settled in court as of this year with a settlement of $1.5 million •It involved the theft of 57 unencrypted computer hard-drives On those hard-drives were: •Members names •Social Security Numbers •Diagnosis Codes •Date of birth’s •Health plan ID numbers •The investigation showed a lack of and failure of implementation of an appropriate safe guards for information. Not only digital but physical safe guards are required by HIPAA/HITECH and were missing in this situation. •The Company spent almost $17 million attempting to rectify the situation 17
  • 18. What are the Penalties? 18
  • 19. If a person… They will be fined… Or face Imprisonment of… Causes, uses or Up to $50,000.00 1 Year obtains individually identifiable information Commits an offense Up to $100,000.00 5 Years under false pretences If a person Commits Up to $250,000.00 10 Years an offense with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm. 19
  • 20. What are some ways that you can avoid a violation or a breach? Here are Some Tips for Best Practice… 20
  • 21. Best Practices Stay informed Learn about HIPAA and HITECH and other privacy laws that impact your organization, and how to stay compliant. Establish a security Document the flow of confidential plan information in your workplace, and make sure that you have formal security policies in place. Educate and enforce Train your employees to understand and follow your information security policies. Update staff on a regular basis and post your policy and guidelines as frequent reminders. 21
  • 22. Best Practices Limit access Only authorized personnel should handle confidential documents. Create a retention Determine which documents you must policy keep and for how long. Clearly mark a destruction date on all records in storage. Eliminate risk Introduce a Shred-All policy for all documents that are no longer needed, so that your employees do not have to decide what is – or isn’t – confidential. Secure destruction Partner with a knowledgeable industry leader that specializes in secure information destruction. 22
  • 23. Who is Shred-it? • Shred-it specializes in providing a tailored information destruction service that allows businesses to comply with legislation and ensure that the client, employee and confidential business information is kept secure at all times. • Through our strict chain-of-custody processes, reliable on-time service and a global network of local service centers, Shred-it provides the most secure and efficient confidential information destruction service in the industry. 23
  • 25. Where can you find more information? Sources http://resource.shredit.com/LegislativeFactSheets http://www.healthcareinfosecurity.com/ http://www.hipaasurvivalguide.com/ http://www.hhs.gov/ http://www.datamountain.com/resources/hipaa- hitech-compliance/hipaa-hitech-faq/ 25