What is HIPAA?HIPAA• The “Health Insurance Portability and

Accountability Act (HIPAA) and its regulations protect the privacy of an individual’s health information and govern the way certain health care providers and benefits plans collect, maintain, use and disclose protected health information (PHI)

Are You HITECH?

HITECH Act• The “Health Information

Technology for Economic and Clinical Health Act” (HITECH) strengthens and increases the regulations and penalties of HIPAA.

Who is Affected?

Nobody is “safe” when it comes to HIPAA and the HITECH Act.

-Covered Entities• Providers• Hospitals• Health Plans

-Business Associates-Subcontractors

Even if your company is not in the healthcare sector, chances are HIPAA & HITECH still affect you!

What Is…A Business Associate?

• A person who performs functions or activities on behalf of, or certain services for, a CE that involves the use or disclosure of PHI

• A person who creates, receives, maintains, or transmits PHI on behalf of a CE

• An entity that maintains PHI even if the entity does not actually view the PHI

A Covered Entity?• Any person or organization who furnishes,

bills, or is paid for healthcare in the normal course of business– Hospitals– Health Plan Providers– Health Insurance Issuers– Etc… A Sub-Contractor?

• A person who acts on behalf of a BA• A person that creates, receives, maintains, or

transmits PHI on behalf of a BA• A person who is delegated a function, activity, or

service by a BA

Notable HIPAA & HITECH Security Breaches

On July 26, 2013, a jury in Marion County, Indiana, awarded $1.44 million to a Walgreens customer based on allegations that the customer's pharmacist accessed,reviewed and shared the customer's prescription history with others who then usedthe information to intimidate and harass the customer.

Source: http://www.mondaq.com/unitedstates/x/260050/Healthcare/HIPAA+Violation+Results+In+144m+Jury+Verdict+Against+Walgreens+Pharmacist

AHMC Healthcare, a six-hospital health system in Alhambra, California…in one of the biggest HIPAA privacy breaches ever reported, the health system notified 729,000 patients that their protected health information has been compromised following the theft of two unencrypted laptops by a transient.

Source: http://www.healthcareitnews.com/news/HIPAA-breach-brings-bad-news-for-729,000

The Oregon Health & Science University has notified 3,044 patients that their protected health information has been compromised after several residentsand physicians-in-training inappropriately used Google cloud services to maintain a spreadsheet of patient data. Source: http://www.healthcareitnews.com/news/fourth-big-hipaa-breach-ohsu

How Can I Stay Compliant?Common Violation:- Unauthorized access by a member of the care team or administrationExample of How to Avoid:- Lock down security to all medical records- Set up a password-protected central system for accessing

these information- Change Password periodically

- Set up administrative safeguards to protect access and prevent non-authorized personnel from viewing or receiving PHI

Common Violation:-Improperly using the internetExample of How to Avoid:- Make your staff aware that posting of any PHI on social-media sites is a violation of privacy- Avoid posting surgery schedules online- Never send unencrypted e-mails that contain PHI

*Source: http://medicalofficetoday.com/Content_free/Common-HIPAA-Violations.aspx

*Source: http://medicalofficetoday.com/Content_free/Common-HIPAA-Violations.aspx

How Can I Stay Compliant?Common Violation:-Failure to secure and/or shred paper documents

Example of How to Avoid:- Keep all paper-records in a locked room, cabinet, or an off-site location

- Shred all discarded sensitive documents thoroughly

- Avoid putting stickers on the outside of a patient’s chart to indicate diagnosis

Common Violation:-Being overheard discussing PHI

Example of How to Avoid:- Train staff not to leave PHI in phone messages

- Use private rooms for PHI-based discussions or phone calls

- Lock your computer screen whenever leaving your desk*Source: http://medicalofficetoday.com/Content_free/Common-HIPAA-Violations.aspx

*Source: http://medicalofficetoday.com/Content_free/Common-HIPAA-Violations.aspx

HIPAA & HITECH:Fines & Penalties

HIPAA Violation Minimum Penalty Maximum PenaltyIndividual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA

$100 per violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation)

$50,000 per violation, with an annual maximum of $1.5 million

HIPAA violation due to reasonable cause and not due to willful neglect

$1,000 per violation, with an annual maximum of $100,000 for repeat violations

$50,000 per violation, with an annual maximum of $1.5 million

HIPAA violation due to willful neglect but violation is corrected within the required time period

$10,000 per violation, with an annual maximum of $250,000 for repeat violations

$50,000 per violation, with an annual maximum of $1.5 million

HIPAA violation is due to willful neglect and is not corrected

$50,000 per violation, with an annual maximum of $1.5 million

$50,000 per violation, with an annual maximum of $1.5 million

*American MedicalAssociation

CHIPS Technology Group LLC 5 Aerial Way, Suite 400 Syosset, NY 11791 Tel 516-377-6585 www.chipstechnologygroup.com