Dental Compliance for Dentists and Business Associates
-
Upload
gppcpa -
Category
Technology
-
view
330 -
download
2
description
Transcript of Dental Compliance for Dentists and Business Associates
HIPAA/ HITECH For Business Associates
For Free compliance tips join our list!
www.DentalCompliance.com
Presented by:Duane Tinker & Toothcop
Neither I nor members of my immediate family
have any financial relationships with
commercial entities that may be relevant to this
presentation.Neither of these guys are licensed peace officers, attorneys, or
dentists….they’re not very funny either!
Learning Objectives
After completing this presentation participants should be able to:
Define Covered Entity, Protected Health Information and
Business Associates
Identify major legislation regarding patient privacy laws in
Texas
Explain why protecting Protected Health Information is
important and consequences for non-compliance with state
and federal laws
Sketch out a plan to achieve compliance for their organizations
Overview
Compliance Regulations
HIPAA Privacy
HIPAA Security
HB 300 (Texas Medical Privacy Act)
HITECH
HIPAA
Took effect on April 1st, 2003
First major regulation in recent years to control fraud,
waste and abuse of government programs
Mandated mechanisms for exchange of information
between healthcare clearinghouses, health plans and
providers.
HITECH
Took effect in 2009
Provided Federal money for providers to help incorporate
EHR into health care practices
Recognized the majority of data breaches was by Business
Associates and there were (previously) no accountability to
enforce HIPAA provisions over unlicensed BA’s
HB 300Texas Medical Privacy Act
Took effect on 09/01/2012
Re-defined “Protected Health Information”
Expanded definition of “Covered Entity” to include entities
that come into possession of, obtain, assemble, collect,
analyze, evaluate, store or transmit PHI.
HB 300Texas Medical Privacy Act
Expanded privacy and security mandates on covered entities
such as:
Employee training (within 60 days of hire and every 2
years)
Patient access to electronic health records (EHRs) (15
days)
Identifies state agencies that regulate covered entities
and the agency’s compliance enforcement process
(Office of Attorney General for non-licensed C.E.’s)
HB 300Texas Medical Privacy Act
Consumer Information Website
Prohibits sale or disclosure of PHI
Consumer Notice and Authorization Required for Electronic
Disclosure of PHI
Fines and penalties include civil and criminal remedies for
non-compliance
HITECHOverview
American Recovery and Reinvestment Act of 2009 (ARRA) became federal law on February 12, 2009. HITECH is part of that law. The goal of HITECH is to enhance and expand the HIPAA Privacy Rule and Security Rules. The HITECH Act not only makes privacy regulations more strict, but it also gives more power to federal and state authorities to enforce privacy and security protections for resident information and data.
How does HITECH strengthen
patient privacy?It increases HIPAA’s patient rights regarding control over their PHI (medical information)It limits the use of PHI for marketing purposesIt mandates breach (unauthorized access or loss of PHI) notificationIt also extends a lot of the same requirements to those business associates outside of our company to whom we give PHI so they can do their jobs.
HIPAA/ HITECHFinal Omnibus Rule
Published January 25th, 2013
Expands the definition of Business Associates - now
include entities that “maintain” PHI, in addition to those that
create, receive, or transmit PHI for a function or activity
such as claims processing or administration, data analysis,
utilization review, quality assurance, patient safety
activities, billing, benefit management, practice
management, and re-pricing.
The definition extends fully to subcontractors of BAs who
perform these functions.
HIPAA/ HITECHFinal Omnibus Rule
Solidifies that BAs are directly liable for compliance
with HIPAA. Under the new rules, BAs are statutorily
liable for violations of the HIPAA security rules. They are
also subject to the same HIPAA privacy restrictions as
covered entities. This includes requirements that BAs
create and implement HIPAA privacy and security policies
and procedures in relation to the handling of PHI of a
covered entity. BAs may be subject to compliance reviews
by the federal Department of Health and Human Services
(HHS).
HIPAA/ HITECHFinal Omnibus Rule
Require BAs to report to the covered entities breaches of
unsecured PHI.
Breach is the unauthorized access of PHI by unintended or
unauthorized persons or entities.
Important Definitions
“Covered Entity”
As per HB 300 and HITECH Final Rule:
Basically, all persons or entities who receive, possess, or
generate protected health information (PHI) or who store
and ‘could potentially’ access PHI
“Protected Health Information”
Individually Identifiable Health Information (including
demographic data, that relates to:
The individual’s past, present or future physical or mental
health or condition;
The provision of health care to the individual, or
The past, present, or future payment for the provision of
health care to the individual
“Protected Health Information”
EXAMPLES: Names, Addresses, Date and place of birth,
Race, Marital Status, Phone numbers, Fax numbers, Email
addresses, Social Security numbers, Medical record numbers,
Health insurance beneficiary numbers, Account numbers,
Certificate/license numbers, Vehicle identifiers and serial
numbers, including license plate numbers, Device identifiers
and serial numbers, Web URLs, IP address numbers, Biometric
identifiers (including finger, retinal and voice prints), Full face
photographic images and any comparable images
HIPAA PrivacyRequirements
Addressable vs. Required
Required (R) means that complying with the given
standard is mandatory and, therefore, must be complied
with.
Addressable (A) means that the given standards must be
implemented by the organization unless assessments and in
depth risk analysis conclude that implementation is not
reasonable and appropriate specific to a given business
setting. Important Note: Addressable does not mean
optional.
HIPAA PrivacyRequirements
Privacy Requirements
Safeguard documents and communications involving PHI
(oral, written and otherwise)
Shred or definitively destroy documents that are no longer
needed
Notify Covered Entities if any information has been
breached
Have written policies and procedures to account for this
information
See HIPAA Privacy summary for additional
HIPAA SecurityRequirements
HIPAA Administrative Requirements
Risk Analysis: (R) Perform and document a risk analysis to
see where PHI is being used and stored and to determine what
all possible ways HIPAA could be violated are
Risk Management: (R) Implement measures sufficient to
reduce these risks to an appropriate level.
Sanction Policy: (R) Implement sanction policies for
employees who fail to comply.
Information Systems Activity Reviews: (R) Regularly
review system activity, logs, audit trails, etc.
Officers: (R) Designate HIPAA Security and Privacy Officers
HIPAA Administrative Requirements
Employee Oversight: (A) Implement procedures to authorize and
supervise employees who work with PHI, and for granting and removing
PHI access to employees. Ensure that an employee’s access to PHI ends
with termination of employment.
Multiple Organizations: (R) Ensure that PHI is not accessed by parent
or partner organizations or subcontractors that are not authorized for
access.
ePHI Access: (A) Implement procedures for granting access to ePHI and
which document access to ePHI or to services and systems which grant
access to ePHI.
Security Reminders: (A) Periodically send updates and reminders of
security and privacy policies to employees.
HIPAA Administrative Requirements
Protection against Malware: (A) Have procedures for
guarding against, detecting, and reporting malicious software.
Login Monitoring: (A) Institute monitoring of logins to
systems and reporting of discrepancies.
Password Management: (A) Ensure there are procedures for
creating, changing, and protecting passwords.
Response and Reporting: (R) Identify, document, and
respond to security incidents.
Contingency Plans: (R) Ensure there are accessible backups
of ePHI and that there are procedures for restore any lost data.
HIPAA Administrative Requirements
Contingency Plans Updates and Analysis: (A) Have procedures for
periodic testing and revision of contingency plans. Assess the relative
criticality of specific applications and data in support of other contingency plan
components.
Emergency Mode: (R) Establish (and implement as needed) procedures to
enable continuation of critical business processes for protection of the security
of electronic protected health information while operating in emergency mode.
Evaluations: (R) Perform periodic evaluations to see if any changes in your
business or the law require changes to your HIPAA compliance procedures.
Business Associate Agreements: (R) Have contracts with business partners
who will have access to your PHI to ensure that they will be compliant.
HIPAA Physical Requirements
Contingency Operations: (A) Establish (and implement as needed) procedures
that allow facility access in support of restoration of lost data under the disaster
recovery plan and emergency mode operations plan in the event of an emergency.
Facility Security: (A) Implement policies and procedures to safeguard the facility
and the equipment therein from unauthorized physical access, tampering, and
theft.
Access Control and Validation: (A) Implement procedures to control and
validate a person’s access to facilities based on their role or function, including
visitor control, and control of access to software programs for testing and revision.
Maintenance Records: (A) Implement policies and procedures to document
repairs and modifications to the physical components of a facility which are related
to security
HIPAA Physical Requirements
Workstations: (R) Implement policies governing what software
can/must be run and how it should be configured on systems that
provide access ePHI. Safeguard all workstations providing access to
ePHI and restrict access to authorized users.
Devices and Media Disposal and Re-use: (R) Create procedures
for the secure final disposal of media that contain ePHI and for the
reuse of devices and media that could have been used for ePHI.
Media Movement: (A) Record movements of hardware and media
associated with ePHI storage. Create a retrievable, exact copy of
electronic protected health information, when needed, before
movement of equipment.
HIPAA Technical Requirements
Unique User Identification: (R) Assign a unique name and/or
number for identifying and tracking user identity.
Emergency Access: (R) Establish (and implement as needed)
procedures for obtaining necessary electronic protected health
information during an emergency.
Automatic Logoff: (A) Implement electronic procedures that
terminate an electronic session after a predetermined time of
inactivity.
Encryption and Decryption: (A) Implement a mechanism to
encrypt and decrypt electronic protected health information when
deemed appropriate.
HIPAA Technical Requirements
Audit Controls: (R) Implement hardware, software, and/or
procedural mechanisms that record and examine activity in
information systems that contain or use electronic protected health
information.
ePHI Integrity: (A) Implement policies and procedures to Protect
electronic protected health information from improper alteration or
destruction.
Authentication: (R) Implement procedures to verify that a person or
entity seeking access to electronic protected health information is the
one claimed.
Transmission Security: (A) Implement technical security measures
to guard against unauthorized access to electronic protected health
information that is being transmitted over an electronic
communications network.
Action Steps
Steps to Compliance
Create, revise, and/or implement HIPAA policies and
procedures. Diligently pursue HIPAA-compliant policies
and procedures as they relate to HIPAA security and
privacy requirements.
Steps to Compliance
Ensure you have Business Associate agreements on
file with the Covered Entities whose patients’ PHI
you have access to. Ensure you have BA agreements
with covered entity clients, as well as with subcontractors
to whom it delegates BA functions (consider relationships
with lenders, transition specialists, practice management,
attorneys, other vendors).
Steps to Compliance
For you and ALL employees or persons for whom
you are responsible receive training as required:
within 60 days of beginning new employment,
and;
every two years
Training must include State and Federal
requirements
Disclaimer
This presentation is NOT comprehensive and is only intended as a high-level overview of information relevant to Covered Entities and Business Associates. My team and I are happy to provide you with additional information or you can surf the Internet at:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/statute/index.html
DUANE
TINKER
Duane Tinker traded his gun and badge for a clipboard and classroom to inform and teach Dental professionals how to stay off the radar and out of the news! As President & CEO of Dental Compliance Specialists, LLC -- a company specializing in Dental office regulatory compliance – he has taken his expertise as a former law enforcement officer responsible for investigating criminal and civil complaints against practices and now uses this knowledge to assist Dental professionals in avoiding these legal pitfalls. He is a much sought-after speaker and consultant and a member of the Speaking Consulting Network. In this pursuit, today his passion is all about helping beleaguered oral healthcare providers find justice!