This presentation will discuss covered entities, protected health information (PHI) as it relates to dental practices and business associates of those practices.It will update you on major legislation relating to patient privacy laws and explain why PHI Information is important and the consequences for non-compliance with state and federal laws.
2. Neither of these guys are licensed peace
officers, attorneys, or dentists….
they‟re not very funny either!
3. After completing this presentation participants should be able to:
Define Covered Entity, Protected Health Information and Business
Associates
Identify major legislation regarding patient privacy laws in Texas
Explain why protecting Protected Health Information is important and
consequences for non-compliance with state and federal laws
Sketch out a plan to achieve compliance for their organizations
6. Took effect on April 1st, 2003
First major regulation in recent years to control fraud, waste and
abuse of government programs
Mandated mechanisms for exchange of information between
healthcare clearinghouses, health plans and providers.
7. Took effect in 2009
Provided Federal money for providers to help incorporate EHR into
health care practices
Recognized the majority of data breaches was by Business
Associates and there were (previously) no accountability to enforce
HIPAA provisions over unlicensed BA‟s
8. Took effect on 09/01/2012
Re-defined “Protected Health Information”
Expanded definition of “Covered Entity” to include entities that
come into possession of, obtain, assemble, collect, analyze,
evaluate, store or transmit PHI.
9. Expanded privacy and security mandates on covered entities such as:
Employee training (within 60 days of hire and every 2 years)
Patient access to electronic health records (EHRs) (15 days)
Identifies state agencies that regulate covered entities and the
agency‟s compliance enforcement process (Office of Attorney
General for non-licensed C.E.‟s)
10. Consumer Information Website
Prohibits sale or disclosure of PHI
Consumer Notice and Authorization Required for Electronic
Disclosure of PHI
Fines and penalties include civil and criminal remedies for non-
compliance
11. American Recovery and Reinvestment Act of 2009 (ARRA) became
federal law on February 12, 2009. HITECH is part of that law.
The goal of HITECH is to enhance and expand the HIPAA Privacy Rule
and Security Rules.
The HITECH Act not only makes privacy regulations more strict, but it
also gives more power to federal and state authorities to enforce privacy
and security protections for resident information and data.
12. It increases HIPAA‟s patient rights regarding control over their PHI
(medical information)
It limits the use of PHI for marketing purposes
It mandates breach (unauthorized access or loss of PHI) notification
It also extends a lot of the same requirements to those business
associates outside of our company to whom we give PHI so they can do
their jobs.
13. Published January 25th, 2013
Expands the definition of Business Associates - now include
entities that “maintain” PHI, in addition to those that create, receive,
or transmit PHI for a function or activity such as claims processing
or administration, data analysis, utilization review, quality
assurance, patient safety activities, billing, benefit management,
practice management, and re-pricing.
The definition extends fully to subcontractors of BAs who perform
these functions.
14. Solidifies that BAs are directly liable for compliance with
HIPAA. Under the new rules, BAs are statutorily liable for violations
of the HIPAA security rules. They are also subject to the same
HIPAA privacy restrictions as covered entities. This includes
requirements that BAs create and implement HIPAA privacy and
security policies and procedures in relation to the handling of PHI of
a covered entity. BAs may be subject to compliance reviews by the
federal Department of Health and Human Services (HHS).
15. Require BAs to report to the covered entities breaches of
unsecured PHI.
Breach is the unauthorized access of PHI by unintended or
unauthorized persons or entities.
16.
17. As per HB 300 and HITECH Final Rule:
Basically, all persons or entities who receive, possess, or generate
protected health information (PHI) or who store and „could
potentially‟ access PHI
18. Individually Identifiable Health Information (including demographic
data, that relates to:
The individual‟s past, present or future physical or mental health or
condition;
The provision of health care to the individual, or
The past, present, or future payment for the provision of health care
to the individual
19. EXAMPLES: Names, Addresses, Date and place of birth, Race,
Marital Status, Phone numbers, Fax numbers, Email addresses, Social
Security numbers, Medical record numbers, Health insurance
beneficiary numbers, Account numbers, Certificate/license numbers,
Vehicle identifiers and serial numbers, including license plate numbers,
Device identifiers and serial numbers, Web URLs, IP address
numbers, Biometric identifiers (including finger, retinal and voice
prints), Full face photographic images and any comparable images
20.
21. Required (R) means that complying with the given standard is
mandatory and, therefore, must be complied with.
Addressable (A) means that the given standards must be
implemented by the organization unless assessments and in depth
risk analysis conclude that implementation is not reasonable and
appropriate specific to a given business setting. Important Note:
Addressable does not mean optional.
22.
23. Safeguard documents and communications involving PHI (oral,
written and otherwise)
Shred or definitively destroy documents that are no longer needed
Notify Covered Entities if any information has been breached
Have written policies and procedures to account for this information
See HIPAA Privacy summary for additional
24.
25. Risk Analysis: (R) Perform and document a risk analysis to see
where PHI is being used and stored and to determine what all
possible ways HIPAA could be violated are
Risk Management: (R) Implement measures sufficient to reduce
these risks to an appropriate level.
Sanction Policy: (R) Implement sanction policies for employees
who fail to comply.
Information Systems Activity Reviews: (R) Regularly review
system activity, logs, audit trails, etc.
Officers: (R) Designate HIPAA Security and Privacy Officers
26. Employee Oversight: (A) Implement procedures to authorize and
supervise employees who work with PHI, and for granting and
removing PHI access to employees. Ensure that an employee‟s
access to PHI ends with termination of employment.
Multiple Organizations: (R) Ensure that PHI is not accessed by
parent or partner organizations or subcontractors that are not
authorized for access.
ePHI Access: (A) Implement procedures for granting access to
ePHI and which document access to ePHI or to services and
systems which grant access to ePHI.
Security Reminders: (A) Periodically send updates and reminders
of security and privacy policies to employees.
27. Protection against Malware: (A) Have procedures for guarding
against, detecting, and reporting malicious software.
Login Monitoring: (A) Institute monitoring of logins to systems and
reporting of discrepancies.
Password Management: (A) Ensure there are procedures for
creating, changing, and protecting passwords.
Response and Reporting: (R) Identify, document, and respond to
security incidents.
Contingency Plans: (R) Ensure there are accessible backups of
ePHI and that there are procedures for restore any lost data.
28. Contingency Plans Updates and Analysis: (A) Have procedures for periodic
testing and revision of contingency plans. Assess the relative criticality of
specific applications and data in support of other contingency plan
components.
Emergency Mode: (R) Establish (and implement as needed) procedures to
enable continuation of critical business processes for protection of the security
of electronic protected health information while operating in emergency mode.
Evaluations: (R) Perform periodic evaluations to see if any changes in your
business or the law require changes to your HIPAA compliance procedures.
Business Associate Agreements: (R) Have contracts with business partners
who will have access to your PHI to ensure that they will be compliant.
29. Contingency Operations: (A) Establish (and implement as needed) procedures
that allow facility access in support of restoration of lost data under the disaster
recovery plan and emergency mode operations plan in the event of an emergency.
Facility Security: (A) Implement policies and procedures to safeguard the facility
and the equipment therein from unauthorized physical access, tampering, and theft.
Access Control and Validation: (A) Implement procedures to control and validate
a person‟s access to facilities based on their role or function, including visitor
control, and control of access to software programs for testing and revision.
Maintenance Records: (A) Implement policies and procedures to document repairs
and modifications to the physical components of a facility which are related to
security
30. Workstations: (R) Implement policies governing what software can/must
be run and how it should be configured on systems that provide access
ePHI. Safeguard all workstations providing access to ePHI and restrict
access to authorized users.
Devices and Media Disposal and Re-use: (R) Create procedures for the
secure final disposal of media that contain ePHI and for the reuse of
devices and media that could have been used for ePHI.
Media Movement: (A) Record movements of hardware and media
associated with ePHI storage. Create a retrievable, exact copy of
electronic protected health information, when needed, before movement of
equipment.
31. Unique User Identification: (R) Assign a unique name and/or number for
identifying and tracking user identity.
Emergency Access: (R) Establish (and implement as needed) procedures
for obtaining necessary electronic protected health information during an
emergency.
Automatic Logoff: (A) Implement electronic procedures that terminate an
electronic session after a predetermined time of inactivity.
Encryption and Decryption: (A) Implement a mechanism to encrypt and
decrypt electronic protected health information when deemed appropriate.
32. Audit Controls: (R) Implement hardware, software, and/or procedural
mechanisms that record and examine activity in information systems that
contain or use electronic protected health information.
ePHI Integrity: (A) Implement policies and procedures to Protect electronic
protected health information from improper alteration or destruction.
Authentication: (R) Implement procedures to verify that a person or entity
seeking access to electronic protected health information is the one claimed.
Transmission Security: (A) Implement technical security measures to guard
against unauthorized access to electronic protected health information that is
being transmitted over an electronic communications network.
33.
34. Create, revise, and/or implement HIPAA policies and
procedures. Diligently pursue HIPAA-compliant policies and
procedures as they relate to HIPAA security and privacy
requirements.
35. Ensure you have Business Associate agreements on file with
the Covered Entities whose patients’ PHI you have access
to. Ensure you have BA agreements with covered entity clients, as
well as with subcontractors to whom it delegates BA functions
(consider relationships with lenders, transition specialists, practice
management, attorneys, other vendors).
36. For you and ALL employees or persons for whom you are
responsible receive training as required:
within 60 days of beginning new employment, and;
every two years
Training must include State and Federal requirements
37. This presentation is NOT comprehensive and is only intended as a high-level
overview of information relevant to Covered Entities and Business
Associates. My team and I are happy to provide you with additional
information or you can surf the Internet at:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/statute/index.html
38. Duane Tinker traded his gun and badge for a clipboard and classroom
to inform and teach Dental professionals how to stay off the radar and
out of the news! As President & CEO of Dental Compliance
Specialists, LLC -- a company specializing in Dental office regulatory
compliance – he has taken his expertise as a former law enforcement
officer responsible for investigating criminal and civil complaints
against practices and now uses this knowledge to assist Dental
professionals in avoiding these legal pitfalls. He is a much sought-after
speaker and consultant and a member of the Speaking Consulting
Network. In this pursuit, today his passion is all about helping
beleaguered oral healthcare providers find justice!
Notes de l'éditeur
For more information, contact Duane at Duane@DentalCompliance.com