1 / 17

HIPAA POLICIES, CONTRACTS AND FINES

HIPAA POLICIES, CONTRACTS AND FINES. Dawn Meglino StratX IT Solutions HIPAA Privacy & Security Officer. Alyson Leone Wilentz, Goldman & Spitzer, P.A. Shareholder. Why conduct an annual Security Risk Analysis (SRA)?

ewillie
Download Presentation

HIPAA POLICIES, CONTRACTS AND FINES

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA POLICIES, CONTRACTS AND FINES

  2. Dawn Meglino StratX IT Solutions HIPAA Privacy & Security Officer

  3. Alyson Leone Wilentz, Goldman & Spitzer, P.A. Shareholder

  4. Why conduct an annual Security Risk Analysis (SRA)? • If you look at HIPAA breaches and the HIPAA Wall of Shame, almost always the companies listed had an incomplete Risk Analysis or didn’t conduct one at all. • The Office for Civil Rights (OCR) states an SRA needs be done annually. • A Security Risk Analysis or Risk Assessment should be conducted anytime there is a change in the organization’s environment.

  5. Business Associate Agreements (BAA)-who do I need? • You must have a BAA with any person or entity who performs functions or activities on behalf of, or provides certain services to, a Covered Entity that involves access by the third party to Protected Health Information (PHI); or creates, receives, maintains, or transmits PHI on behalf of the Covered Entity. • BAA is not needed for every individual or organization that is involved in the Surgery Centers. • Cleaning companies are not required to have a signed BAA, but the Covered Entity must have a Clean Desk Policy along with physical security measures in place. • Be sure your BAA includes all required provisions.

  6. HIPAA Training for staff – a must • Most cyber attacks are a result of a staff member. • Training for staff needs to be on a regular basis; it should not be just an annual training. • Always document all HIPAA training offered and completed by staff members. • The more training provided and the better educated your staff members are, the more unlikely your center will suffer from a cyber attack, security incident or breach.

  7. Do I need to keep my computer clean of PHI? • Keep computers clean of any PHI in the documents, downloads, desktop and trash/recycle bin. • NO PHI should be saved on the computer’s local hard drive. • Empty the trash/recycle bin on a regular basis (at least weekly). • Do NOT charge cell phones on the business computers. • Have content filtering installed to block out any unwanted internet traffic.

  8. HIPAA Computer Tips • Ensure workstations are locked (WINDOWS KEY + L KEY) BEFORE LEAVING YOUR WORKSTATION UNATTENDED, even if there is a lockout policy after 10 to 15 minutes of inactivity. • Do not save/store any documents containing PHI (Protected Health Information), on the computer desktop, recycle/trash bin, documents and downloads folder. PHI needs to be stored securely on the server, EMR, Billing, Practice Management systems. • Empty recycle/trash bins on a regular basis – at the end of each day or at minimum once a week. • No unauthorized devices plugged into computers (cell phones, USB drives) • Computer securely logged off at the end of each day (Restart or Log-off). NEVER shut down computers. • NEVER email ePHI unless an (email) encryption solution is used properly. DO NOT USE public emails, i.e., Gmail, AOL, yahoo for transmission of patient data. • CLEAN DESK POLICY: Secure all papers containing PHI in locked cabinets closets, and desks at the end of each day. • Follow Acceptable Use Rules for the computers and office devices: • No internet surfing or shopping • No social media sites • Do not click on any email links coming from a questionable/unverified source. • No sharing of user ID’s and passwords

  9. Paper documents in the Surgery Centers • Documents containing PHI should not be accessible to the public, or left unsecured in the Surgery Center. The Clean Desk Policy must be in effect for after hours. • Retention periods need to be set for older charts and papers containing PHI. • Secure shredding bins have to be utilized and a certified shredding company used for disposal, providing certificates of destruction of the documents.

  10. Do I need to have email encryption? • Email encryption is a must for all emails containing PHI or sensitive data. • Any PHI that is being sent from the Covered Entity via email must be encrypted. • If staff and doctors are texting PHI, an encryption tool needs to be installed on the device. • If PHI is encrypted, a breach is not reportable – “Safe Harbor”

  11. Is it important to review user accounts? • Review user accounts for all operating systems and applications that contain PHI on a regular basis. Ensure all active users are still employed by the Surgery Center. • Archived or historic software accounts containing PHI need to be reviewed. Disable inactive users immediately. • “Shared” accounts for operating systems and applications containing PHI need to be eliminated. There is no audit trail when multiple users are signing in with the same credentials.

  12. Are vulnerability scans necessary? • HIPAA compliance rules indicate that vulnerability scans for systems and networks are required. The frequency of the scan is up to the Covered Entity, but should be done at a minimum annually. • Vulnerability scans identify areas on the firewall that could potentially let the “bad guys” onto the Center’s network.

  13. What are Physical Securities? • Physical securities are a HIPAA requirement to ensure equipment is secured, locked server racks are in place, computers locked when not in use, and, all patients and visitors are escorted through the Surgery Center. • Clean Desk Policy – lock up or put away any PHI in drawers or cabinets. Do not leave papers containing PHI on an unattended desk, counter or fax machine. • Secure areas of the facility with keys and/or badges; allow limited access depending on a staff member’s job duties.

  14. Are there any Penalties for violations of HIPAA? • Four categories of violations and four corresponding tiers of civil monetary penalties: • 1. Person did not know (and, by exercising reasonable diligence, would not have known) of a violation; • 2. Violation was due to reasonable cause, and not willful neglect; • 3. Violation was due to willful neglect that is timely corrected; and • 4. Violation was due to willful neglect that is not timely corrected. • Currently, all tiers have the same annual civil money penalty (CMP) limit of $1.5M. • April 26, 2019 – OCR Notification of different cumulative annual CMP limit for each tier.

  15. Useful Websites • The Office for Civil Rights - https://ww.hhs.gov/ocr • National Institute of Standards & Technology - https://www.nist.gov • OCR website for HIPAA Professionals - https://www.hhs.gov/hipaa/for-professionals

  16. Dawn Meglino dmeglino@stratxit.com Alyson M. Leone aleone@wilentz.com

More Related