“ technology working for people” intro to hipaa and small practice implementation

“ Technology Working For People”

Intro to HIPAA and

Small Practice Implementation


Overview

What is HIPAA?

Transactions

Privacy

Security

Implementation Manual/Process


Insurance Reform[Portability]

Insurance Reform[Portability]

Administrative Simplification[Accountability]

Health Insurance Portability and Accountability Act (HIPAA)

Transactions, Compliance

Date: 10/16/2003

Privacy Compliance

Date: 4/14/2003

Security Compliance

Date: 4/21/2005

What is HIPAA?


Who is affected ?“Covered Entities” which include:

•Health Plans•Healthcare Clearinghouse•Healthcare Provider who transmits health information in electronic format

(Us )


Is it Mostly ProcessOr Mostly “Things” to purchase?

20%

80%

Technical

Process


HIPAA Compliance Deadlines

Transaction & Code Sets October 16, 2003 (with extension)

Privacy RegulationApril 14, 2003

Security RegulationsApril 21, 2005 or April 21, 2006 for

small health plans


COMPLY?

$100 for each violation

Maximum of $25,000 per year per specific

provision

Penalties up to $250,000 Prison time up to 10 years

Non-Compliance

Unauthorized Disclosure or Misuse of Patient Information


Transactions, Codes, & Identifiers

What are they, and why do we care ?

Is it something I control ?

How do we comply?


Transaction, Codes, and Identifiers

Verify your vendor or clearinghouse has

been certified?

Tested your electronic claims submission for accuracy?


Privacy Regulations Require Designating a Privacy

Officer Educate the Privacy Officer

Take this training moduleBecome familiar with helpful web

sites Begin Implementing the new

Procedures & Policies


Privacy Regulation

The Privacy Rule has 3 General AreasPatient RightsCommunicationsAdministration


Privacy Regulation

Patient RightsNotice of Privacy PracticeAuthorization FormAccess and Amendment PolicyAccounting and Restrictions Policy


Privacy RegulationCommunications

Phone and Face-to-FaceEmail Policy (Optional)Fax PolicyMedical RecordsDe-Identification


Privacy RegulationAdministration

Privacy OfficerBusiness Associate Privacy ContractTrackingSafeguardsPre-emption of State LawTraining


Security Regulation

Three Categories of Security StandardsAdministrativePhysicalTechnical


Security Regulation

In All 3 Categories, the Standards are:Required

orAddressable


Security - General RuleEnsure the confidentiality, integrity and availability

of all EPHIProtect against any reasonably anticipated threat

or hazard to security or integrityProtect against reasonably anticipated uses or

disclosure that are nor permitted under the Privacy Rule

Ensure compliance by your workforce


Security Flexibility•Size, complexity and capabilities of office

•Technical infrastructure, hardware and software security capability of office

•Costs of security measures

•Probability and criticality of potential risks


Security – Administrative Security Management Responsibility Workforce Security Information Access Management Security Awareness & Training Incident Procedures Contingency Plan Evaluation Business Associate Contract


Security - PhysicalFacility Access ControlWorkstation UseWorkstation SecurityDevice & Media Controls


Security - TechnicalAccess ControlAudit Controls IntegrityEntitiy AuthenticationTransmission Security


ImplementationThe Head of Practice Overview

Office Manager Steps

Transaction/Code Certification

Staff Training

Privacy

Security

Maintenance


Office Manager Steps

Appointed Privacy & Security Officer

Studies the HIPAA Office Manual

Makes any modifications to the forms, policies and procedures for this specific practice

Calls a staff meeting for HIPAA training


Transaction/Code Certification

Obtain certification of compliance from Billing/Admin software vendor

Obtain certification of compliance from all clearinghouse vendors

Confirm accuracy of transactions


Staff Training

Staff read the awareness essay

Read and sign employee confidentiality form

Attend the HIPAA overview training

Attend Security Awareness Training


Privacy

Post Privacy Notice

Process for patients receiving and signing Notice of Privacy Practice

Post Fax and Email Policies

Create “Entities” log

Issue/Collect Business Associate contracts


SecurityVeroTek & Office Manager Produce:

Risk Assessment/Plan Access Control Workstation Security Staff Security Training Anti-Virus Procedures Backup Procedures Internet/Firewall System Disaster Recovery Plan


Maintenance

Quarterly review by Office Manager for compliance

Bi-Annual Security Audit by VeroTek

“As Required” updates as regulations change


Questions?Call VTSHelpDesk

@ 858-483-1692

or Email [email protected]

“ technology working for people” intro to hipaa and small practice implementation

Documents

people privacy regulations

people security regulation

people transactions

workforce slide

addressable slide

people security flexi

privacy rule

people security general