Upload
madeline-morgan
View
226
Download
0
Embed Size (px)
Citation preview
The Implementation of HIPAA
Joan M. Kiel, Ph.D., C.H.P.S.
Duquesne University
Pittsburgh, Pennsylvania
HIPAA Parts
• HIPAA: 6 of 11 Parts Released:
• Transactions & Code Sets [2002]
• Privacy [2003]
• Unique Identifier- Employer [2004]
• Security [2005]
• Enforcement [2006]
• Unique Identifier – Provider (NPI) [2007]
HIPAA Parts
• HITECH: Health Information Technology for Economic & Clinical Health Act [2/2010]
• HIPAA Compliance Audit Protocol [7/2012]
• HIPAA “MegaRule” [1/25/2013]
HIPAA Personnel Role
• Privacy Person [45CFR164.530(a)(1)(i)]
• Security Person [45CFR164.308(a)(2)]
• The Federal Government mandates that covered entities have both a privacy person and a security person.
• This person(s) implements and manages the previously mentioned policies
What Needs to Be Done
• For each of the policies, the HIPAA person will do the following 11 items.
• This is an ongoing process as an item is truly never done; just like your other work.
1. HIPAA Committee
• Representatives from health services and medical records, information technology, management, finance, and policy.
2. Policies & Procedures
• For the six HIPAA Rules to date, develop policies from the law, not secondary sources
• The laws are released in the Federal Register
3. Training & Awareness
• Live or on-line, but must be ongoing
• Staff meeting awareness
• Payroll stuffers/emails as awareness
• Integrate awareness to daily activities
4. Documentation
• Documentation must be retained for six years
• Critical with July 2012 HIPAA Compliance Audit Protocol & MegaRule
5. Risk Assessments & Audits
• Quarterly• Authentication: most
likely passwords• Data integrity checks• Have a policy and
process to act on the findings
6. Complaint Process
• People need to be aware of how to file a complaint; thus, post process to file complaints
• Complaints are only to be HIPAA related
• Have a policy & process to act on the complaints
7. Sanction Process
• Sanction only for the HIPAA violation
• Internal investigation and/or OCR
• Civil and criminal penalties per Enforcement Rule
• Follow-up on the sanction and charge
8. Web Site
• If the covered entity has a web site, the Notice* of Health Information Privacy Practices must be prominently displayed on the web site.
• Keep the web site updated
• *Notice as of February 2009 & MegaRule – July 15, 2014
9. Formage
• Develop forms from the laws.
• May or may not be able to use from other covered entities (ie. addressable Security Rule policies)
• Educate staff on the formage
10. Business Associate Agreements
• Assess all those external to the workforce who have access to the covered entity’s PHI
• Both the Privacy Rule & the Security Rule cover BAA’s. HITECH & MegaRule brought tougher BAA requirements
11. Research
• Play an integral role with the covered entity’s Institutional Review Board
• Ensure minimum necessary standards for data used in research
• Look for changes in 2013 or 2014