SlideShare a Scribd company logo

HIPAA and HITECH : What you need to know

Shred-it, profile picture
Shred-it

The document provides an overview of HIPAA and HITECH, emphasizing the importance of safeguarding patient information and compliance with regulations to prevent breaches. It details the roles of presenters in healthcare compliance and the evolution of privacy protections following the implementation of the HITECH Act. Additionally, it outlines key terms, practices for compliance, penalties for violations, and best practices for healthcare organizations to protect sensitive information.

TechnologyBusiness
1 of 25
Downloaded 45 times
1
2
3
4
5
Most read
6
7
8
9
Most read
10
11
Most read
12
13
14
15
16
17
18
19
20
21
22
23
24
25
HIPAA and HITECH What You Need to Know
Today's Presenters Andrew Lenardon, Director of National Accounts Indirect Solutions for North America at Shred-it Andrew Lenardon is the Director of National Accounts Indirect Solutions for North America at Shred-it International,Inc., where he brings over 15 years of sales and leadership experience. In his role, Lenardon leads a team of professionals in helping Healthcare and Enterprise client improve the security of how they handle confidential records and identify wasteful spending that can be shifted to priorities such as information security, compliance efforts and business efficiency. Lenardon has worked at Shred-it since 2006. A graduate from McMaster University, Lenardon holds a B.Sc. in Biochemistry and currently resides in Toronto, Canada. Chris Sheehan, Compliance Agent, Providence, Rhode Island Chris has a combined 17 years of experience in the Records Management & Information Security industries. In the past he has served on the Board of Directors and Vice President for ARMA (Association for Records Managers & Administrators). For the last five years Chris has worked with the Federal & State governments in implementing policies to assist with the prevention of Fraud and the protection of Identity. Certified in Mass Law with regard to Mass Reg 201 CMR 17:00 Chris conducts Compliance Training for clients and assists with developing their Written Information Security Plan (WISP). Chris conducts Information Sessions for a number of Colleges and Universities to future educate Administrators, faculty and the student body on information security and sustainability for saving the Environment. David Pinter, National Accounts Executive David began his career at Shred-it over 12 years ago. He has been assisting healthcare organizations with their compliance and document security efforts since 2003 when HIPAA was first launched. David is a member of Shred-it’s National Accounts Healthcare Team where he provides new business development support and consulting activities for customers in the Healthcare and Group Purchase Organization spaces. 2
Protecting Patient Privacy – how important is it? 3
What is HIPAA? • Health Insurance Portability and Accountability Act (HIPAA) HIPAA requires health care organizations to have and maintain safeguards to prevent intentional or unintentional use or disclosure of protected health information. • The Federal law that requires health care organizations to, “maintain reasonable and appropriate, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information.” • Specifically, the management of private information is detailed through the Privacy Rule and the Security Rule. Both rules are designed to protect an individual’s private and confidential information by standardizing the rules for how it is used, handled, stored, etc. 4
What is HITECH? • The Health Information Technology for Economic and Clinical Health (HITECH) Act includes rules that impact organizations that operate within HIPAA legislation. • It is in direct relation to HIPAA because it imposes standards on medical and healthcare organizations (business associates) in addition to those that are imposed by HIPAA (CE’s). It was part of the Reinvestment Act of 2009. • This act requires that all organizations in the medical field apply “meaningful use” of technology that demonstrates security efforts. This ensures that the confidentiality, integrity and availability of protected data is not compromised. 5
Major Changes Brought on by HITECH Since 2009 •Enforcement has become more proactive; meaning there are more penalties for smaller breaches and more parties. •Data that falls under the scope of protection is now grown to include other personal information beyond EPHI. •Stricter audits are now in practice. •Every consumer now has a right to own a copy of their PHI without paying a fee. •Business Associates are now required to comply with this act, not just Covered Entities. •There are now more restrictions on the use of protected health information for marketing purposes. 6
Key Terms • PHI and EPHI • Covered Entity and Business Associate • Security Rule and Privacy Rule • Common Control • Willful Neglect 7
PHI and EPHI PHI: Protected Health Information EPHI: PHI that has been converted in some way to electronic media 8
What is Considered PHI? • Medical records • Diagnosis of a certain condition • Procedure codes on claim forms • Claims data or information • Explanation of Benefits (EOB) • Pre-authorization forms • Crime reports • Coordination of benefit forms • Enrolment information and forms • Election forms • Reimbursement request forms • Records indicating payment • Claims denial and appeal information 9
Covered Entity and Business Associate Covered Entities (CE’s) include health care providers, health care clearinghouses, and health plans that electronically store, process or transmit electronic protected information (EPHI). Business Associates (BA’s) are parties that include any person or group that provides or facilitates for a covered entity in some way. 10
Privacy Rule & Security Rule • The Privacy Rule • Establishes national standards to protect individuals’ medical records and other personal health information • Applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically • Requires appropriate safeguards to protect the privacy of personal health information • Sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization • Gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections • The Security Rule • Establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity • Requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information 11
What is Common Control? •A situation where a covered entity has indirect or direct power or influence over another entity’s actions or policies. •It places the onus on the CE to ensure that the outside BA they contracted is taking the necessary safe guards and actions to protect the PHI of individuals. 12
What is Willful Neglect? • Defined as “A tendency to be negligent and uncaring” • In the context of HIPAA and HITECH the terms differs from case to case. • With regards to the health care industry, willful neglect is a failure to comply or perform certain necessary tasks that is either intentional or conscious. • HITECH brought in harsher penalties for willful neglect. 13
How do organizations and individuals comply? • Companies should explore the requirements of HIPAA Privacy and Security Rules. • Health care organizations must implement policies and procedures related to accessing information. • Business associates must adopt HIPAA-compliant practices. 14
Why is compliance important? Patient privacy is very important and people have the expectation that health care organizations keep their information secure and private. They expect that their information will be safe from breaches. Not only is compliance important for the patient’s sake, but for the company’s own interests as well. Not only is your reputation at risk of being damaged, but cases of willful neglect in HITECH can be vulnerable to a penalty of AT LEAST $50,000.00 per violation for a total of $1.5 million in a calendar year. Compliance is important on many levels regardless of the circumstances. 15
What happens if you don’t comply? There are different penalties put into place by HIPAA and HITECH depending on the circumstances and situation. Since HITECH came into the picture in 2009, the penalties have become harsher and less forgiving. 16
Security Breach A major insurance coverer in Tennessee had a massive breach in 2009 which affected over 1 million people. They settled in court as of this year with a settlement of $1.5 million •It involved the theft of 57 unencrypted computer hard-drives On those hard-drives were: •Members names •Social Security Numbers •Diagnosis Codes •Date of birth’s •Health plan ID numbers •The investigation showed a lack of and failure of implementation of an appropriate safe guards for information. Not only digital but physical safe guards are required by HIPAA/HITECH and were missing in this situation. •The Company spent almost $17 million attempting to rectify the situation 17
What are the Penalties? 18
If a person… They will be fined… Or face Imprisonment of… Causes, uses or Up to $50,000.00 1 Year obtains individually identifiable information Commits an offense Up to $100,000.00 5 Years under false pretences If a person Commits Up to $250,000.00 10 Years an offense with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm. 19
What are some ways that you can avoid a violation or a breach? Here are Some Tips for Best Practice… 20
Best Practices Stay informed Learn about HIPAA and HITECH and other privacy laws that impact your organization, and how to stay compliant. Establish a security Document the flow of confidential plan information in your workplace, and make sure that you have formal security policies in place. Educate and enforce Train your employees to understand and follow your information security policies. Update staff on a regular basis and post your policy and guidelines as frequent reminders. 21
Best Practices Limit access Only authorized personnel should handle confidential documents. Create a retention Determine which documents you must policy keep and for how long. Clearly mark a destruction date on all records in storage. Eliminate risk Introduce a Shred-All policy for all documents that are no longer needed, so that your employees do not have to decide what is – or isn’t – confidential. Secure destruction Partner with a knowledgeable industry leader that specializes in secure information destruction. 22
Who is Shred-it? • Shred-it specializes in providing a tailored information destruction service that allows businesses to comply with legislation and ensure that the client, employee and confidential business information is kept secure at all times. • Through our strict chain-of-custody processes, reliable on-time service and a global network of local service centers, Shred-it provides the most secure and efficient confidential information destruction service in the industry. 23
QUESTIONS? 24
Where can you find more information? Sources http://resource.shredit.com/LegislativeFactSheets http://www.healthcareinfosecurity.com/ http://www.hipaasurvivalguide.com/ http://www.hhs.gov/ http://www.datamountain.com/resources/hipaa- hitech-compliance/hipaa-hitech-faq/ 25

More Related Content

PPT
Hitech Act
Deborah Obasogie
 
PDF
Hitech Act
ISACA New England
 
PPTX
What Are Electronic Health Records (EHRs)?
Practice Fusion
 
PPTX
HIPAA AND INFORMATION TECHNOLOGY
mariaradziminski
 
PPTX
HIPAA
LibbyGoodman
 
PPTX
Electronic Medical Record
Tricia Gervacio
 
PPTX
Telemedicine
Vatsal N Shah
 
PPT
hitech act
padler01
 
Hitech Act
Deborah Obasogie
 
Hitech Act
ISACA New England
 
What Are Electronic Health Records (EHRs)?
Practice Fusion
 
HIPAA AND INFORMATION TECHNOLOGY
mariaradziminski
 
HIPAA
LibbyGoodman
 
Electronic Medical Record
Tricia Gervacio
 
Telemedicine
Vatsal N Shah
 
hitech act
padler01
 

What's hot (20)

PDF
Health information exchange (HIE)
ACCESS Health Digital
 
PPTX
HIPAA
Alanoud Alqoufi
 
PDF
Health literacy presentation
Madelaine Saracutu
 
PPT
Health Information Exchange (HIE)
Greenway Health
 
PPT
5.social health insurance nrs
Hindustan Latex Family Planning Promotion Trust (HLFPPT)
 
PPTX
Health system
AnghamSolaiman
 
PPTX
Series of interview Questions
ClinosolIndia
 
PPTX
Healthcare Information Systems - Past, Present, and Future
Health Catalyst
 
PPTX
Health Insurance Portability & Accountability Act (HIPAA)
Arpitha Aarushi
 
PPTX
HIPPA-Health Insurance Portability and Accountability Act
Harshit Trivedi
 
PDF
Canada Health Act
DarriONeill
 
PPTX
Lecture 1 - Introduction to Canadian Health Care
Alexandre Mayer
 
PPTX
Health Literacy
Farhad Zargari
 
PDF
Mobile Health
Hosna Salmani
 
PPTX
Hipaa
Mehak AggarwAl
 
PPTX
Health sector reforms- INDIA
NazmaShaikh4
 
PPT
Electronic medical record for Doctors
Railwire
 
PPTX
Health Insurance and Portability and Accountability Act
সারন দাস
 
PPTX
Powerpoint presentation on EHR
informatics-jacqueline
 
PDF
Health financing in bangladesh why changes in public financial management rul...
HFG Project
 
Health information exchange (HIE)
ACCESS Health Digital
 
HIPAA
Alanoud Alqoufi
 
Health literacy presentation
Madelaine Saracutu
 
Health Information Exchange (HIE)
Greenway Health
 
5.social health insurance nrs
Hindustan Latex Family Planning Promotion Trust (HLFPPT)
 
Health system
AnghamSolaiman
 
Series of interview Questions
ClinosolIndia
 
Healthcare Information Systems - Past, Present, and Future
Health Catalyst
 
Health Insurance Portability & Accountability Act (HIPAA)
Arpitha Aarushi
 
HIPPA-Health Insurance Portability and Accountability Act
Harshit Trivedi
 
Canada Health Act
DarriONeill
 
Lecture 1 - Introduction to Canadian Health Care
Alexandre Mayer
 
Health Literacy
Farhad Zargari
 
Mobile Health
Hosna Salmani
 
Hipaa
Mehak AggarwAl
 
Health sector reforms- INDIA
NazmaShaikh4
 
Electronic medical record for Doctors
Railwire
 
Health Insurance and Portability and Accountability Act
সারন দাস
 
Powerpoint presentation on EHR
informatics-jacqueline
 
Health financing in bangladesh why changes in public financial management rul...
HFG Project
 
Ad

Similar to HIPAA and HITECH : What you need to know (20)

PPTX
HIPAA Audit Implementation
Valency Networks
 
PPTX
The Startup Path to HIPAA Compliance
Jim Anfield
 
PDF
HIPAA Panel Discussion
Dan Wellisch
 
PPTX
Hipaa for business associates simple
Jose Ivan Delgado, Ph.D.
 
PPTX
HIPAA and FDCPA Compliance for Process Servers
Lawgical
 
PDF
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
Health IT Conference – iHT2
 
PPT
HIPAA Privacy & Security
National Pharmacy Technician Association
 
PPTX
Health Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
KloudLearn
 
PPTX
Hitech changes-to-hipaa
geeksikh
 
PPTX
health insurance portability and accountability act.pptx
amartya2087
 
PPTX
Mha690 brittany koenig week 1 assignment2
bkoenig2010
 
PPTX
Mha690 brittany koenig week 1 assignment2
bkoenig2010
 
PPT
Knowing confidentiality
jessie66
 
PPTX
Data Management Protection Acts
Joseph White MPA CPM
 
PPTX
Annual HIPAA Training
Cynthia Holland
 
PPTX
Privacy & security training.pptx
Qmcleod
 
PPTX
Privacy & security training.pptx
Qmcleod
 
PPTX
HIPAA - Understanding the Basics of Compliance
Jay Hodes
 
PPT
Hipaa.ppt3
akwei2
 
PPT
Hipaa.ppt4
akwei2
 
HIPAA Audit Implementation
Valency Networks
 
The Startup Path to HIPAA Compliance
Jim Anfield
 
HIPAA Panel Discussion
Dan Wellisch
 
Hipaa for business associates simple
Jose Ivan Delgado, Ph.D.
 
HIPAA and FDCPA Compliance for Process Servers
Lawgical
 
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
Health IT Conference – iHT2
 
HIPAA Privacy & Security
National Pharmacy Technician Association
 
Health Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
KloudLearn
 
Hitech changes-to-hipaa
geeksikh
 
health insurance portability and accountability act.pptx
amartya2087
 
Mha690 brittany koenig week 1 assignment2
bkoenig2010
 
Mha690 brittany koenig week 1 assignment2
bkoenig2010
 
Knowing confidentiality
jessie66
 
Data Management Protection Acts
Joseph White MPA CPM
 
Annual HIPAA Training
Cynthia Holland
 
Privacy & security training.pptx
Qmcleod
 
Privacy & security training.pptx
Qmcleod
 
HIPAA - Understanding the Basics of Compliance
Jay Hodes
 
Hipaa.ppt3
akwei2
 
Hipaa.ppt4
akwei2
 
Ad

More from Shred-it (7)

PDF
Lifecycle of a Document
Shred-it
 
PDF
Recycling Shredded Paper
Shred-it
 
PDF
Security Tracker 2012 - U.S.
Shred-it
 
PDF
Every Workplace Needs to Reduce Risk of Data Breaches – Including Government ...
Shred-it
 
PPTX
50 Security Tips – Part 2
Shred-it
 
PPTX
50 Security Tips – Part 1
Shred-it
 
PPT
Your Employees and Information Security
Shred-it
 
Lifecycle of a Document
Shred-it
 
Recycling Shredded Paper
Shred-it
 
Security Tracker 2012 - U.S.
Shred-it
 
Every Workplace Needs to Reduce Risk of Data Breaches – Including Government ...
Shred-it
 
50 Security Tips – Part 2
Shred-it
 
50 Security Tips – Part 1
Shred-it
 
Your Employees and Information Security
Shred-it
 

Recently uploaded (20)

PDF
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
PPTX
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
PDF
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
PDF
August Patch Tuesday
Ivanti
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PDF
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PDF
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
PDF
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
PDF
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
PPT
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PPT
Geologic Time for studying geology for geologist
ssuser738f5a
 
PPTX
Web Crawler for Trend Tracking Gen Z Insights.pptx
Actowiz Solustions
 
PDF
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
PDF
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
PDF
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
PDF
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PPTX
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
August Patch Tuesday
Ivanti
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Geologic Time for studying geology for geologist
ssuser738f5a
 
Web Crawler for Trend Tracking Gen Z Insights.pptx
Actowiz Solustions
 
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 

HIPAA and HITECH : What you need to know

  • 1. HIPAA and HITECH What You Need to Know
  • 2. Today's Presenters Andrew Lenardon, Director of National Accounts Indirect Solutions for North America at Shred-it Andrew Lenardon is the Director of National Accounts Indirect Solutions for North America at Shred-it International,Inc., where he brings over 15 years of sales and leadership experience. In his role, Lenardon leads a team of professionals in helping Healthcare and Enterprise client improve the security of how they handle confidential records and identify wasteful spending that can be shifted to priorities such as information security, compliance efforts and business efficiency. Lenardon has worked at Shred-it since 2006. A graduate from McMaster University, Lenardon holds a B.Sc. in Biochemistry and currently resides in Toronto, Canada. Chris Sheehan, Compliance Agent, Providence, Rhode Island Chris has a combined 17 years of experience in the Records Management & Information Security industries. In the past he has served on the Board of Directors and Vice President for ARMA (Association for Records Managers & Administrators). For the last five years Chris has worked with the Federal & State governments in implementing policies to assist with the prevention of Fraud and the protection of Identity. Certified in Mass Law with regard to Mass Reg 201 CMR 17:00 Chris conducts Compliance Training for clients and assists with developing their Written Information Security Plan (WISP). Chris conducts Information Sessions for a number of Colleges and Universities to future educate Administrators, faculty and the student body on information security and sustainability for saving the Environment. David Pinter, National Accounts Executive David began his career at Shred-it over 12 years ago. He has been assisting healthcare organizations with their compliance and document security efforts since 2003 when HIPAA was first launched. David is a member of Shred-it’s National Accounts Healthcare Team where he provides new business development support and consulting activities for customers in the Healthcare and Group Purchase Organization spaces. 2
  • 3. Protecting Patient Privacy – how important is it? 3
  • 4. What is HIPAA? • Health Insurance Portability and Accountability Act (HIPAA) HIPAA requires health care organizations to have and maintain safeguards to prevent intentional or unintentional use or disclosure of protected health information. • The Federal law that requires health care organizations to, “maintain reasonable and appropriate, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information.” • Specifically, the management of private information is detailed through the Privacy Rule and the Security Rule. Both rules are designed to protect an individual’s private and confidential information by standardizing the rules for how it is used, handled, stored, etc. 4
  • 5. What is HITECH? • The Health Information Technology for Economic and Clinical Health (HITECH) Act includes rules that impact organizations that operate within HIPAA legislation. • It is in direct relation to HIPAA because it imposes standards on medical and healthcare organizations (business associates) in addition to those that are imposed by HIPAA (CE’s). It was part of the Reinvestment Act of 2009. • This act requires that all organizations in the medical field apply “meaningful use” of technology that demonstrates security efforts. This ensures that the confidentiality, integrity and availability of protected data is not compromised. 5
  • 6. Major Changes Brought on by HITECH Since 2009 •Enforcement has become more proactive; meaning there are more penalties for smaller breaches and more parties. •Data that falls under the scope of protection is now grown to include other personal information beyond EPHI. •Stricter audits are now in practice. •Every consumer now has a right to own a copy of their PHI without paying a fee. •Business Associates are now required to comply with this act, not just Covered Entities. •There are now more restrictions on the use of protected health information for marketing purposes. 6
  • 7. Key Terms • PHI and EPHI • Covered Entity and Business Associate • Security Rule and Privacy Rule • Common Control • Willful Neglect 7
  • 8. PHI and EPHI PHI: Protected Health Information EPHI: PHI that has been converted in some way to electronic media 8
  • 9. What is Considered PHI? • Medical records • Diagnosis of a certain condition • Procedure codes on claim forms • Claims data or information • Explanation of Benefits (EOB) • Pre-authorization forms • Crime reports • Coordination of benefit forms • Enrolment information and forms • Election forms • Reimbursement request forms • Records indicating payment • Claims denial and appeal information 9
  • 10. Covered Entity and Business Associate Covered Entities (CE’s) include health care providers, health care clearinghouses, and health plans that electronically store, process or transmit electronic protected information (EPHI). Business Associates (BA’s) are parties that include any person or group that provides or facilitates for a covered entity in some way. 10
  • 11. Privacy Rule & Security Rule • The Privacy Rule • Establishes national standards to protect individuals’ medical records and other personal health information • Applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically • Requires appropriate safeguards to protect the privacy of personal health information • Sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization • Gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections • The Security Rule • Establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity • Requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information 11
  • 12. What is Common Control? •A situation where a covered entity has indirect or direct power or influence over another entity’s actions or policies. •It places the onus on the CE to ensure that the outside BA they contracted is taking the necessary safe guards and actions to protect the PHI of individuals. 12
  • 13. What is Willful Neglect? • Defined as “A tendency to be negligent and uncaring” • In the context of HIPAA and HITECH the terms differs from case to case. • With regards to the health care industry, willful neglect is a failure to comply or perform certain necessary tasks that is either intentional or conscious. • HITECH brought in harsher penalties for willful neglect. 13
  • 14. How do organizations and individuals comply? • Companies should explore the requirements of HIPAA Privacy and Security Rules. • Health care organizations must implement policies and procedures related to accessing information. • Business associates must adopt HIPAA-compliant practices. 14
  • 15. Why is compliance important? Patient privacy is very important and people have the expectation that health care organizations keep their information secure and private. They expect that their information will be safe from breaches. Not only is compliance important for the patient’s sake, but for the company’s own interests as well. Not only is your reputation at risk of being damaged, but cases of willful neglect in HITECH can be vulnerable to a penalty of AT LEAST $50,000.00 per violation for a total of $1.5 million in a calendar year. Compliance is important on many levels regardless of the circumstances. 15
  • 16. What happens if you don’t comply? There are different penalties put into place by HIPAA and HITECH depending on the circumstances and situation. Since HITECH came into the picture in 2009, the penalties have become harsher and less forgiving. 16
  • 17. Security Breach A major insurance coverer in Tennessee had a massive breach in 2009 which affected over 1 million people. They settled in court as of this year with a settlement of $1.5 million •It involved the theft of 57 unencrypted computer hard-drives On those hard-drives were: •Members names •Social Security Numbers •Diagnosis Codes •Date of birth’s •Health plan ID numbers •The investigation showed a lack of and failure of implementation of an appropriate safe guards for information. Not only digital but physical safe guards are required by HIPAA/HITECH and were missing in this situation. •The Company spent almost $17 million attempting to rectify the situation 17
  • 18. What are the Penalties? 18
  • 19. If a person… They will be fined… Or face Imprisonment of… Causes, uses or Up to $50,000.00 1 Year obtains individually identifiable information Commits an offense Up to $100,000.00 5 Years under false pretences If a person Commits Up to $250,000.00 10 Years an offense with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm. 19
  • 20. What are some ways that you can avoid a violation or a breach? Here are Some Tips for Best Practice… 20
  • 21. Best Practices Stay informed Learn about HIPAA and HITECH and other privacy laws that impact your organization, and how to stay compliant. Establish a security Document the flow of confidential plan information in your workplace, and make sure that you have formal security policies in place. Educate and enforce Train your employees to understand and follow your information security policies. Update staff on a regular basis and post your policy and guidelines as frequent reminders. 21
  • 22. Best Practices Limit access Only authorized personnel should handle confidential documents. Create a retention Determine which documents you must policy keep and for how long. Clearly mark a destruction date on all records in storage. Eliminate risk Introduce a Shred-All policy for all documents that are no longer needed, so that your employees do not have to decide what is – or isn’t – confidential. Secure destruction Partner with a knowledgeable industry leader that specializes in secure information destruction. 22
  • 23. Who is Shred-it? • Shred-it specializes in providing a tailored information destruction service that allows businesses to comply with legislation and ensure that the client, employee and confidential business information is kept secure at all times. • Through our strict chain-of-custody processes, reliable on-time service and a global network of local service centers, Shred-it provides the most secure and efficient confidential information destruction service in the industry. 23
  • 25. Where can you find more information? Sources http://resource.shredit.com/LegislativeFactSheets http://www.healthcareinfosecurity.com/ http://www.hipaasurvivalguide.com/ http://www.hhs.gov/ http://www.datamountain.com/resources/hipaa- hitech-compliance/hipaa-hitech-faq/ 25