170 likes | 409 Views
Protecting Your Practice November 16-17, 2011. HIPAA & Other Legal Concerns Presented by Jennifer J. Thomas jennifer.thomas@keanmiller.com Lyn S. Savoie lyn.savoie@keanmiller.com. Overview. HIPAA Security Rule HIPAA Changes in ARRA Accounting/Access HIPAA Breach Notification
E N D
Protecting Your PracticeNovember 16-17, 2011 • HIPAA & Other Legal Concerns • Presented by • Jennifer J. Thomas • jennifer.thomas@keanmiller.com • Lyn S. Savoie • lyn.savoie@keanmiller.com
Overview • HIPAA Security Rule • HIPAA Changes in ARRA • Accounting/Access • HIPAA Breach Notification • HIPAA Enforcement • Louisiana Breach Notification
HIPAA Security Rule • Published February 20, 2003 • Applies to PHI in Electronic Form • Implements Safeguards for Electronic Health Information • Protects PHI while promoting the use of electronic health records
HIPAA Security Rule • Three-layered approach • Administrative Safeguards • Physical Safeguards • Technical Safeguards • Standards • Implementation Specifications • Required • Addressable
HIPAA Security Rule • Compliance Considerations • Size, Complexity, and Capabilities of CE • Infrastructure, hardware and software capabilities • Cost of Security Measures • Probability of Potential Risk
HIPAA Security Rule • Administrative Safeguards • Security Incident Procedures • Contingency Plan • Evaluation • Business Associate Contracts
HIPAA Security Rule • Administrative Safeguards • Security Management Process • Assigned Security Responsibility • Workforce Security • Information Access Management • Security and Awareness Training
HIPAA Security Rule • Physical Safeguards • Facility Access Controls • Workstation Use • Workstation Security • Device and Media Controls
HIPAA Security Rule • Technical Safeguards • Access Control • Audit Controls • Integrity • Person or Entity Authorization • Transmission Security
HIPAA Security Rule – ARRA Changes • Accounting for Disclosures • HIPAA Accounting Requirements • Change for Covered Entities with “electronic health records” • 3 year Accounting Requirement • Timetable for Enactment • Delegation to Business Associates • Access to Electronic Records
HIPAA Breach Notification • Notification of Breaches • What is a breach? • What is an unsecured breach? • Who must be notified? • Individual • HHS • Media • Content of Notification
HIPAA Breach Notification • Description of event • Date of Breach • Date of Discovery • Types of unsecured PHI involved • Steps individual should take • Steps being taken by covered entity • Contact information
HIPAA Enforcement • OCR Audit Program Begins November 2011 • 150 CEs in Pilot Program • Privacy and Security Rule Compliance Monitored • Enforcement from Complaints • 471 Security Rule Complaints • 236 Closed After Investigation and Corrective Action
HIPAA Enforcement • Tiered Civil Monetary Penalties Under ARRA • $100 to $50,000 Per Violation • Maximum Annual Penalty of $25,000 to $1.5 million • Penalty Amount Varies Based Upon Knowledge and Corrective Action Taken
Louisiana Breach Notification • Computerized Data Containing Personal Information • Last Name; and • First Name or Initial; and • Social Security Number, • Driver’s License Number, or • Account Number, credit card number, etc.
Louisiana Breach Notification • Notify Individual • Expedient time • Written, electronic or substitute notification • Notify LA Attorney General • w/in 10 days of individual notification • $5,000 fine for failure to report • Civil Action for Breach