SlideShare uma empresa Scribd logo

Becoming HITECH - 9/2009

R
rogersons

Migration from HIPAA to HITECH

TecnologiaNegócios
1 de 26
Becoming HITECH Review of the HITECH Act and its role in a holistic approach to compliance September 30, 2009
Agenda • About Us • Obligations of Healthcare Providers • Review of HIPAA and Red Flags Rule Objectives • Discussion on HITECH – Objectives and Requirements – Placement in ARRA – Funding Opportunities • Rethinking your Patient Privacy, Security, and Protection Strategy Becoming HITECH
About Us Scott A. Rogerson, CISA, CAPM The Hill Group, Inc.
• Management consulting firm • Founded in 1953 • Headquartered in Pittsburgh, PA • Affiliated with several consulting firms across the United States About Us Becoming HITECH
• Strategy • Operations and Process Improvement • Performance and Diagnostic Measurement • Organizational Development • Workforce and Economic Development Strategy Our Services Becoming HITECH
Health Care Providers and Associations Our Clients Include Becoming HITECH
Privacy, Security, Protection Obligations of Healthcare Providers
Security and Protection Obligations • These obligations include ensuring the following: – Completeness – Accuracy – Confidentiality – Protection • Additional areas of data management not addressed are: – Availability – Reliability Healthcare providers are obligated to secure all data accepted from patients for treatment or other health care operations and to ensure that the privacy of that information is upheld. Becoming HITECH
• Purpose: Require the implementation of administrative, technical, and physical safeguards to: – Ensure data integrity and confidentiality – Protect against reasonably anticipated • Threats or hazards to the security or integrity of data • Unauthorized use or disclosure HIPAA Purpose Becoming HITECH
• Privacy policies and procedures • Privacy notice • Privacy official • Workforce training and enforcement • Mitigation process • Complaint process • Implement safeguards – Administrative – Technical – Physical • Retain policies, procedure, notices for six years HIPAA Requirements Becoming HITECH
• Purpose: Preventing an individual with unauthorized data from obtaining unauthorized services • Four Elements of Compliance for the Red Flags Rule: 1. Identify Red Flags for covered accounts and incorporate those red flags into the Program 2. Detect Red Flags that have been incorporated into the Program 3. Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft 4. Update the Program at least annually to reflect changes in risks to customers or to the safety and soundness of the financial institution or creditor from identity theft • Compliance Date: November 1, 2009 Red Flags Purpose and Requirements Becoming HITECH
Discussion on HITECH
• Health Information Technology for Economic and Clinical Health Act – Title XIII and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 • Objective: “Utilization of an electronic health record for each person in the United States by 2014” – Requirements for Achievement: • Confidence in Systems • Confidence in Organizations • Funding for Implementation • Effective Date: September 23, 2009 but enforcement will be delayed until February 22, 2010 HITECH Overview Becoming HITECH
HITECH: Supplements to HIPAA • Extension of “covered entity” requirements to the “business associate” • State Attorney General Enforcement • Establishes breach notification requirements • Breach – “Unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information” Becoming HITECH
• Perform Risk Assessment to: – Define the “harm threshold” – Determine if breach falls into one of the seven exception criteria • Disclosure to the Individual • Disclosure for Treatment, Payment and Health Care Operations (TPO) • Opportunity to Agree or Object • “Incident to” • Limited Data Set / De-identified Data • Has Authorization • Public Policy (Legal Requirement, Law Enforcement, etc.) HITECH: Identifying a Breach Becoming HITECH
• HITECH requires that notification be communicated within 60 from the day the breach is: – Known by someone in the organization (other than the person committing the breach) – By exercising reasonable diligence would have been known – Must provide notification without “unreasonable delay” • Business Associate (BA) Notification Requirement – Notify affected covered entity/entities of breach – The covered entity is then required to notify individuals (unless contract states otherwise) • If BA is agent of covered entity – Must notify individuals within 60 days of BA discovery • If BA is independent contractor – Must notify individuals within 60 days of being notified HITECH: Breach Requirements Becoming HITECH
HITECH: Required Notification • The required notification activities depend upon: – Number of individuals impacted – Location in which the individuals reside • The breach notification must include the following in “plain language”: – Brief description of what happened – Types of information involved – Steps affected individuals should take to protect themselves – Definition of the steps the covered entity is taking to mitigate harm to individuals – Contact procedures for individuals with additional questions Becoming HITECH
HITECH: Notification Req. I d e n t if y B r e a c h N o t if y I n d iv id u a l N o t if y P u b lic S t a r t E n d 60Days Once potential breach has been identified, perform risk assessment to determine if “harm threshold” indicates breach occurred. Notify the individuals affected by the breach using a written notice, including appropriate information. If individual(s) cannot be reached, follow substitute notice procedure. Determine if need exists to notify major media outlets, HHS Secretary, and/or credit reporting agencies of breach. Refer to Decision Tree for Additional Detail Becoming HITECH
• Title IV – Medicare and Medicaid Health Information Technology; Miscellaneous Medicare Provisions of the ARRA includes the following provisions: – Additional funding for eligible professionals adopting EHR prior to 2014 – Penalties for professionals not adopting by 2014 • “Meaningful Use” Requirement for Adoption – Connected in a manner that provides for electronic exchange of health information – Provider is able to generate and submit measurements of EHR use in their practice • A “significant hardship” exemption exists HITECH: Incentives for EHR Becoming HITECH
HITECH: The “Carrot” and the “Stick” MU Year 2011 2012 2013 2014 2015 2016 2017 2018 2019 Total 2011 $18,000 $12,000 $8,000 $4,000 $2,000 $44,000 2012 $18,000 $12,000 $8,000 $4,000 $2,000 $44,000 2013 $15,000 $12,000 $8,000 $4,000 $39,000 2014 $12,000 $8,000 $4,000 $24,000 2015 None - 1% - 2% - 3% - 4% - 5% - ?? Becoming HITECH
Rethinking your Patient Privacy, Security, and Protection Strategy
Risk Assessment Process • HIPAA, Red Flags, and HITECH require the performance of a risk assessment to determine the necessary safeguards • When performing this assessment, the following should be considered for each risk area: – Likelihood – Impact – Effectiveness • Prevention • Detection • Mitigation Becoming HITECH
Risk Assessment Areas • Areas to Consider: – Current Policies / Procedures • Design Effectiveness • Operating Effectiveness – Application Risks • Role-based Access • Application Controls – Data Assessment (Create, Transmit, Store, Dispose) • Creation • Storage (primary and secondary) • Transmission • Disposal – Organization – External Risks • Environmental Risks (Flood, Power Failure) • Liability – Business Associate/Vendor Agreements Becoming HITECH
Remediation Efforts • No policy, procedure, or application should be implemented solely for regulatory purposes • People and Process are still the critical components to a efficient, effective, and compliant organization – The individuals who own the information may be your most effective (and least costly) detective control • Physical / Technical safeguards should be integrated into the processes utilizing the technology to increase efficiency, reliability, and utilization of the information • Compliance practices should be customized to the organization Becoming HITECH
Discussion and Q&A
Thank You If you have any additional questions, please feel free to contact me: Scott A. Rogerson, CISA, CAPM 412-722-1111 srogerson@hillgroupinc.com The Hill Group, Inc. 2 East Main Street Carnegie, PA 15106-2456 USA www.hillgroupinc.com Becoming HITECH

Recomendados

Meaningful Use - 8/2010
Meaningful Use - 8/2010Meaningful Use - 8/2010
Meaningful Use - 8/2010
rogersons
 
Executive Presentation on adhering to Healthcare Industry compliance
Executive Presentation on adhering to Healthcare Industry complianceExecutive Presentation on adhering to Healthcare Industry compliance
Executive Presentation on adhering to Healthcare Industry compliance
Thomas Bronack
 
21st Century Act and its Impact on Healthcare IT
21st Century Act and its Impact on Healthcare IT21st Century Act and its Impact on Healthcare IT
21st Century Act and its Impact on Healthcare IT
CitiusTech
 
Reporting Patient Safety Events Challenge Webinar
Reporting Patient Safety Events Challenge WebinarReporting Patient Safety Events Challenge Webinar
Reporting Patient Safety Events Challenge Webinar
health2dev
 
HIPAA Privacy and Security
HIPAA Privacy and SecurityHIPAA Privacy and Security
HIPAA Privacy and Security
Parsons Behle & Latimer
 
Updated Healthcare Industry Compliance Presentation
Updated Healthcare Industry Compliance PresentationUpdated Healthcare Industry Compliance Presentation
Updated Healthcare Industry Compliance Presentation
Thomas Bronack
 
Meaningful use basics
Meaningful use basicsMeaningful use basics
Meaningful use basics
Jose Ivan Delgado, Ph.D.
 
Home Health Federal Health IT Policy, Larry Wolf
Home Health Federal Health IT Policy, Larry WolfHome Health Federal Health IT Policy, Larry Wolf
Home Health Federal Health IT Policy, Larry Wolf
Kindred Healthcare
 

Recomendados

Meaningful Use - 8/2010
Meaningful Use - 8/2010Meaningful Use - 8/2010
Meaningful Use - 8/2010
rogersons
 
Executive Presentation on adhering to Healthcare Industry compliance
Executive Presentation on adhering to Healthcare Industry complianceExecutive Presentation on adhering to Healthcare Industry compliance
Executive Presentation on adhering to Healthcare Industry compliance
Thomas Bronack
 
21st Century Act and its Impact on Healthcare IT
21st Century Act and its Impact on Healthcare IT21st Century Act and its Impact on Healthcare IT
21st Century Act and its Impact on Healthcare IT
CitiusTech
 
Reporting Patient Safety Events Challenge Webinar
Reporting Patient Safety Events Challenge WebinarReporting Patient Safety Events Challenge Webinar
Reporting Patient Safety Events Challenge Webinar
health2dev
 
HIPAA Privacy and Security
HIPAA Privacy and SecurityHIPAA Privacy and Security
HIPAA Privacy and Security
Parsons Behle & Latimer
 
Updated Healthcare Industry Compliance Presentation
Updated Healthcare Industry Compliance PresentationUpdated Healthcare Industry Compliance Presentation
Updated Healthcare Industry Compliance Presentation
Thomas Bronack
 
Meaningful use basics
Meaningful use basicsMeaningful use basics
Meaningful use basics
Jose Ivan Delgado, Ph.D.
 
Home Health Federal Health IT Policy, Larry Wolf
Home Health Federal Health IT Policy, Larry WolfHome Health Federal Health IT Policy, Larry Wolf
Home Health Federal Health IT Policy, Larry Wolf
Kindred Healthcare
 
HIMSS15_TeleHealth Strategy_118Final
HIMSS15_TeleHealth Strategy_118FinalHIMSS15_TeleHealth Strategy_118Final
HIMSS15_TeleHealth Strategy_118Final
Jeff Jones
 
Meaningful Use: The Fine Print
Meaningful Use: The Fine PrintMeaningful Use: The Fine Print
Meaningful Use: The Fine Print
Qualifacts
 
Implementing EHR in Behavioral Health Blog Post
Implementing EHR in Behavioral Health Blog PostImplementing EHR in Behavioral Health Blog Post
Implementing EHR in Behavioral Health Blog Post
Jeff Brevik, PMP
 
HM480 Ab103318 ch11
HM480 Ab103318 ch11HM480 Ab103318 ch11
HM480 Ab103318 ch11
BealCollegeOnline
 
Healthcare Information Management
Healthcare Information ManagementHealthcare Information Management
Healthcare Information Management
Bijay Bhandari
 
Meaningful Use Basics for Healthcare Professionals and Organizations
Meaningful Use Basics for Healthcare Professionals and OrganizationsMeaningful Use Basics for Healthcare Professionals and Organizations
Meaningful Use Basics for Healthcare Professionals and Organizations
Jose Ivan Delgado, Ph.D.
 
HM480 Ab103318 ch20
HM480 Ab103318 ch20HM480 Ab103318 ch20
HM480 Ab103318 ch20
BealCollegeOnline
 
HM480 Ab103318 ch10
HM480 Ab103318 ch10HM480 Ab103318 ch10
HM480 Ab103318 ch10
BealCollegeOnline
 
The Medical Advantage, Inc. - EMR & Meaningful Use
The Medical Advantage, Inc. - EMR & Meaningful UseThe Medical Advantage, Inc. - EMR & Meaningful Use
The Medical Advantage, Inc. - EMR & Meaningful Use
Walz Group, LLC.
 
Program Overview and Prepare to Review Reported Data
Program Overview and Prepare to Review Reported DataProgram Overview and Prepare to Review Reported Data
Program Overview and Prepare to Review Reported Data
Market iT
 
Presentation Zeroes in on Successful CIN
Presentation Zeroes in on Successful CIN Presentation Zeroes in on Successful CIN
Presentation Zeroes in on Successful CIN
PYA, P.C.
 
The Circuit EHR Presentation
The Circuit EHR PresentationThe Circuit EHR Presentation
The Circuit EHR Presentation
The Circuit
 
hitech act
hitech acthitech act
hitech act
padler01
 
The Future of Healthcare in Consumerism World
The Future of Healthcare in Consumerism WorldThe Future of Healthcare in Consumerism World
The Future of Healthcare in Consumerism World
CitiusTech
 
Kindred and Gentiva Reach Definitive Agreement
Kindred and Gentiva Reach Definitive AgreementKindred and Gentiva Reach Definitive Agreement
Kindred and Gentiva Reach Definitive Agreement
Kindred Healthcare
 
The Medical Advantage MU v2 Quick Pitch
The Medical Advantage MU v2 Quick PitchThe Medical Advantage MU v2 Quick Pitch
The Medical Advantage MU v2 Quick Pitch
Jan S. Belmont-French
 
MeHI Regional Health IT Meetings - Tewksbury, MA - Sept, 2013
MeHI Regional Health IT Meetings - Tewksbury, MA - Sept, 2013MeHI Regional Health IT Meetings - Tewksbury, MA - Sept, 2013
MeHI Regional Health IT Meetings - Tewksbury, MA - Sept, 2013
MassEHealth
 
HIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability ActHIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability Act
Harshit Trivedi
 
NCVHS Privacy and Security Update
NCVHS Privacy and Security Update NCVHS Privacy and Security Update
NCVHS Privacy and Security Update
Brian Ahier
 
HIPAA
HIPAAHIPAA
HIPAA
Alanoud Alqoufi
 
Raising Red Flags - 07/2009
Raising Red Flags - 07/2009Raising Red Flags - 07/2009
Raising Red Flags - 07/2009
rogersons
 
Photoshoot
PhotoshootPhotoshoot
Photoshoot
alice_faz
 

Mais conteúdo relacionado

Mais procurados

HIMSS15_TeleHealth Strategy_118Final
HIMSS15_TeleHealth Strategy_118FinalHIMSS15_TeleHealth Strategy_118Final
HIMSS15_TeleHealth Strategy_118Final
Jeff Jones
 
Implementing EHR in Behavioral Health Blog Post
Implementing EHR in Behavioral Health Blog PostImplementing EHR in Behavioral Health Blog Post
Implementing EHR in Behavioral Health Blog Post
Jeff Brevik, PMP
 
hitech act
hitech acthitech act
hitech act
padler01
 
The Medical Advantage MU v2 Quick Pitch
The Medical Advantage MU v2 Quick PitchThe Medical Advantage MU v2 Quick Pitch
The Medical Advantage MU v2 Quick Pitch
Jan S. Belmont-French
 
HIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability ActHIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability Act
Harshit Trivedi
 

Mais procurados (20)

HIMSS15_TeleHealth Strategy_118Final
HIMSS15_TeleHealth Strategy_118FinalHIMSS15_TeleHealth Strategy_118Final
HIMSS15_TeleHealth Strategy_118Final
 
Meaningful Use: The Fine Print
Meaningful Use: The Fine PrintMeaningful Use: The Fine Print
Meaningful Use: The Fine Print
 
Implementing EHR in Behavioral Health Blog Post
Implementing EHR in Behavioral Health Blog PostImplementing EHR in Behavioral Health Blog Post
Implementing EHR in Behavioral Health Blog Post
 
HM480 Ab103318 ch11
HM480 Ab103318 ch11HM480 Ab103318 ch11
HM480 Ab103318 ch11
 
Healthcare Information Management
Healthcare Information ManagementHealthcare Information Management
Healthcare Information Management
 
Meaningful Use Basics for Healthcare Professionals and Organizations
Meaningful Use Basics for Healthcare Professionals and OrganizationsMeaningful Use Basics for Healthcare Professionals and Organizations
Meaningful Use Basics for Healthcare Professionals and Organizations
 
HM480 Ab103318 ch20
HM480 Ab103318 ch20HM480 Ab103318 ch20
HM480 Ab103318 ch20
 
HM480 Ab103318 ch10
HM480 Ab103318 ch10HM480 Ab103318 ch10
HM480 Ab103318 ch10
 
The Medical Advantage, Inc. - EMR & Meaningful Use
The Medical Advantage, Inc. - EMR & Meaningful UseThe Medical Advantage, Inc. - EMR & Meaningful Use
The Medical Advantage, Inc. - EMR & Meaningful Use
 
Program Overview and Prepare to Review Reported Data
Program Overview and Prepare to Review Reported DataProgram Overview and Prepare to Review Reported Data
Program Overview and Prepare to Review Reported Data
 
Presentation Zeroes in on Successful CIN
Presentation Zeroes in on Successful CIN Presentation Zeroes in on Successful CIN
Presentation Zeroes in on Successful CIN
 
The Circuit EHR Presentation
The Circuit EHR PresentationThe Circuit EHR Presentation
The Circuit EHR Presentation
 
hitech act
hitech acthitech act
hitech act
 
The Future of Healthcare in Consumerism World
The Future of Healthcare in Consumerism WorldThe Future of Healthcare in Consumerism World
The Future of Healthcare in Consumerism World
 
Kindred and Gentiva Reach Definitive Agreement
Kindred and Gentiva Reach Definitive AgreementKindred and Gentiva Reach Definitive Agreement
Kindred and Gentiva Reach Definitive Agreement
 
The Medical Advantage MU v2 Quick Pitch
The Medical Advantage MU v2 Quick PitchThe Medical Advantage MU v2 Quick Pitch
The Medical Advantage MU v2 Quick Pitch
 
MeHI Regional Health IT Meetings - Tewksbury, MA - Sept, 2013
MeHI Regional Health IT Meetings - Tewksbury, MA - Sept, 2013MeHI Regional Health IT Meetings - Tewksbury, MA - Sept, 2013
MeHI Regional Health IT Meetings - Tewksbury, MA - Sept, 2013
 
HIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability ActHIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability Act
 
NCVHS Privacy and Security Update
NCVHS Privacy and Security Update NCVHS Privacy and Security Update
NCVHS Privacy and Security Update
 
HIPAA
HIPAAHIPAA
HIPAA
 

Destaque

DIRECT TIR ASSISTANCE - INFORMATION
DIRECT TIR ASSISTANCE - INFORMATIONDIRECT TIR ASSISTANCE - INFORMATION
DIRECT TIR ASSISTANCE - INFORMATION
Reis Borges
 
Resume_Arindom-March-3rd
Resume_Arindom-March-3rdResume_Arindom-March-3rd
Resume_Arindom-March-3rd
Arindom Biswas
 
Its 330am and kobe is training
Its 330am and kobe is trainingIts 330am and kobe is training
Its 330am and kobe is training
Ted Stearns
 
Evaluation q5 slideshare
Evaluation q5 slideshareEvaluation q5 slideshare
Evaluation q5 slideshare
alice_faz
 
Emerging Industry Workforce Strategy report 01226010
Emerging Industry Workforce Strategy report 01226010Emerging Industry Workforce Strategy report 01226010
Emerging Industry Workforce Strategy report 01226010
rogersons
 
Study: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving CarsStudy: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving Cars
LinkedIn
 

Destaque (12)

Raising Red Flags - 07/2009
Raising Red Flags - 07/2009Raising Red Flags - 07/2009
Raising Red Flags - 07/2009
 
Photoshoot
PhotoshootPhotoshoot
Photoshoot
 
DIRECT TIR ASSISTANCE - INFORMATION
DIRECT TIR ASSISTANCE - INFORMATIONDIRECT TIR ASSISTANCE - INFORMATION
DIRECT TIR ASSISTANCE - INFORMATION
 
Reference Perez
Reference PerezReference Perez
Reference Perez
 
Resume_Arindom-March-3rd
Resume_Arindom-March-3rdResume_Arindom-March-3rd
Resume_Arindom-March-3rd
 
Its 330am and kobe is training
Its 330am and kobe is trainingIts 330am and kobe is training
Its 330am and kobe is training
 
Evaluation q5 slideshare
Evaluation q5 slideshareEvaluation q5 slideshare
Evaluation q5 slideshare
 
1939 – 1945
1939 – 19451939 – 1945
1939 – 1945
 
Navgating in a New Moon: Utilizing an Objective Decision-making Framework in...
Navgating in a New Moon: Utilizing an Objective Decision-making Framework in...Navgating in a New Moon: Utilizing an Objective Decision-making Framework in...
Navgating in a New Moon: Utilizing an Objective Decision-making Framework in...
 
Emerging Industry Workforce Strategy report 01226010
Emerging Industry Workforce Strategy report 01226010Emerging Industry Workforce Strategy report 01226010
Emerging Industry Workforce Strategy report 01226010
 
επίσκεψη στα καπη
επίσκεψη στα καπηεπίσκεψη στα καπη
επίσκεψη στα καπη
 
Study: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving CarsStudy: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving Cars
 

Semelhante a Becoming HITECH - 9/2009

PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
eringold
 
HIPAA Violations and Penalties power point
HIPAA Violations and Penalties power pointHIPAA Violations and Penalties power point
HIPAA Violations and Penalties power point
Deena Fetrow
 
Hitech changes-to-hipaa
Hitech changes-to-hipaaHitech changes-to-hipaa
Hitech changes-to-hipaa
geeksikh
 
Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...
Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...
Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...
Xiaoming Zeng
 

Semelhante a Becoming HITECH - 9/2009 (20)

HealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUSTHealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUST
 
Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017
 
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
 
HealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTHealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUST
 
HIPAA Panel Discussion
HIPAA Panel Discussion HIPAA Panel Discussion
HIPAA Panel Discussion
 
The Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceThe Startup Path to HIPAA Compliance
The Startup Path to HIPAA Compliance
 
HNI U: HIPAA Essentials
HNI U: HIPAA EssentialsHNI U: HIPAA Essentials
HNI U: HIPAA Essentials
 
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
 
PSOW 2016 - HIPAA Compliance for EMS Community
PSOW 2016 - HIPAA Compliance for EMS CommunityPSOW 2016 - HIPAA Compliance for EMS Community
PSOW 2016 - HIPAA Compliance for EMS Community
 
HIPAA Violations and Penalties power point
HIPAA Violations and Penalties power pointHIPAA Violations and Penalties power point
HIPAA Violations and Penalties power point
 
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
 
HIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of ComplianceHIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of Compliance
 
HIPAA Compliance: What Medical Practices and Their Business Associates Need t...
HIPAA Compliance: What Medical Practices and Their Business Associates Need t...HIPAA Compliance: What Medical Practices and Their Business Associates Need t...
HIPAA Compliance: What Medical Practices and Their Business Associates Need t...
 
Hitech changes-to-hipaa
Hitech changes-to-hipaaHitech changes-to-hipaa
Hitech changes-to-hipaa
 
What Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​sWhat Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​s
 
HIPAA Compliance and Security in a Mobile World
HIPAA Compliance and Security in a Mobile WorldHIPAA Compliance and Security in a Mobile World
HIPAA Compliance and Security in a Mobile World
 
HIPAA Security 2019
HIPAA Security 2019HIPAA Security 2019
HIPAA Security 2019
 
Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...
Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...
Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...
 
HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule
HIPAA/HITECH Requirements for FQHCs and the New Omnibus RuleHIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule
HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule
 
Chapter 9
Chapter 9Chapter 9
Chapter 9
 

Último

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 

Último (20)

presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 

Becoming HITECH - 9/2009

  • 1. Becoming HITECH Review of the HITECH Act and its role in a holistic approach to compliance September 30, 2009
  • 2. Agenda • About Us • Obligations of Healthcare Providers • Review of HIPAA and Red Flags Rule Objectives • Discussion on HITECH – Objectives and Requirements – Placement in ARRA – Funding Opportunities • Rethinking your Patient Privacy, Security, and Protection Strategy Becoming HITECH
  • 3. About Us Scott A. Rogerson, CISA, CAPM The Hill Group, Inc.
  • 4. • Management consulting firm • Founded in 1953 • Headquartered in Pittsburgh, PA • Affiliated with several consulting firms across the United States About Us Becoming HITECH
  • 5. • Strategy • Operations and Process Improvement • Performance and Diagnostic Measurement • Organizational Development • Workforce and Economic Development Strategy Our Services Becoming HITECH
  • 6. Health Care Providers and Associations Our Clients Include Becoming HITECH
  • 8. Security and Protection Obligations • These obligations include ensuring the following: – Completeness – Accuracy – Confidentiality – Protection • Additional areas of data management not addressed are: – Availability – Reliability Healthcare providers are obligated to secure all data accepted from patients for treatment or other health care operations and to ensure that the privacy of that information is upheld. Becoming HITECH
  • 9. • Purpose: Require the implementation of administrative, technical, and physical safeguards to: – Ensure data integrity and confidentiality – Protect against reasonably anticipated • Threats or hazards to the security or integrity of data • Unauthorized use or disclosure HIPAA Purpose Becoming HITECH
  • 10. • Privacy policies and procedures • Privacy notice • Privacy official • Workforce training and enforcement • Mitigation process • Complaint process • Implement safeguards – Administrative – Technical – Physical • Retain policies, procedure, notices for six years HIPAA Requirements Becoming HITECH
  • 11. • Purpose: Preventing an individual with unauthorized data from obtaining unauthorized services • Four Elements of Compliance for the Red Flags Rule: 1. Identify Red Flags for covered accounts and incorporate those red flags into the Program 2. Detect Red Flags that have been incorporated into the Program 3. Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft 4. Update the Program at least annually to reflect changes in risks to customers or to the safety and soundness of the financial institution or creditor from identity theft • Compliance Date: November 1, 2009 Red Flags Purpose and Requirements Becoming HITECH
  • 13. • Health Information Technology for Economic and Clinical Health Act – Title XIII and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 • Objective: “Utilization of an electronic health record for each person in the United States by 2014” – Requirements for Achievement: • Confidence in Systems • Confidence in Organizations • Funding for Implementation • Effective Date: September 23, 2009 but enforcement will be delayed until February 22, 2010 HITECH Overview Becoming HITECH
  • 14. HITECH: Supplements to HIPAA • Extension of “covered entity” requirements to the “business associate” • State Attorney General Enforcement • Establishes breach notification requirements • Breach – “Unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information” Becoming HITECH
  • 15. • Perform Risk Assessment to: – Define the “harm threshold” – Determine if breach falls into one of the seven exception criteria • Disclosure to the Individual • Disclosure for Treatment, Payment and Health Care Operations (TPO) • Opportunity to Agree or Object • “Incident to” • Limited Data Set / De-identified Data • Has Authorization • Public Policy (Legal Requirement, Law Enforcement, etc.) HITECH: Identifying a Breach Becoming HITECH
  • 16. • HITECH requires that notification be communicated within 60 from the day the breach is: – Known by someone in the organization (other than the person committing the breach) – By exercising reasonable diligence would have been known – Must provide notification without “unreasonable delay” • Business Associate (BA) Notification Requirement – Notify affected covered entity/entities of breach – The covered entity is then required to notify individuals (unless contract states otherwise) • If BA is agent of covered entity – Must notify individuals within 60 days of BA discovery • If BA is independent contractor – Must notify individuals within 60 days of being notified HITECH: Breach Requirements Becoming HITECH
  • 17. HITECH: Required Notification • The required notification activities depend upon: – Number of individuals impacted – Location in which the individuals reside • The breach notification must include the following in “plain language”: – Brief description of what happened – Types of information involved – Steps affected individuals should take to protect themselves – Definition of the steps the covered entity is taking to mitigate harm to individuals – Contact procedures for individuals with additional questions Becoming HITECH
  • 18. HITECH: Notification Req. I d e n t if y B r e a c h N o t if y I n d iv id u a l N o t if y P u b lic S t a r t E n d 60Days Once potential breach has been identified, perform risk assessment to determine if “harm threshold” indicates breach occurred. Notify the individuals affected by the breach using a written notice, including appropriate information. If individual(s) cannot be reached, follow substitute notice procedure. Determine if need exists to notify major media outlets, HHS Secretary, and/or credit reporting agencies of breach. Refer to Decision Tree for Additional Detail Becoming HITECH
  • 19. • Title IV – Medicare and Medicaid Health Information Technology; Miscellaneous Medicare Provisions of the ARRA includes the following provisions: – Additional funding for eligible professionals adopting EHR prior to 2014 – Penalties for professionals not adopting by 2014 • “Meaningful Use” Requirement for Adoption – Connected in a manner that provides for electronic exchange of health information – Provider is able to generate and submit measurements of EHR use in their practice • A “significant hardship” exemption exists HITECH: Incentives for EHR Becoming HITECH
  • 20. HITECH: The “Carrot” and the “Stick” MU Year 2011 2012 2013 2014 2015 2016 2017 2018 2019 Total 2011 $18,000 $12,000 $8,000 $4,000 $2,000 $44,000 2012 $18,000 $12,000 $8,000 $4,000 $2,000 $44,000 2013 $15,000 $12,000 $8,000 $4,000 $39,000 2014 $12,000 $8,000 $4,000 $24,000 2015 None - 1% - 2% - 3% - 4% - 5% - ?? Becoming HITECH
  • 21. Rethinking your Patient Privacy, Security, and Protection Strategy
  • 22. Risk Assessment Process • HIPAA, Red Flags, and HITECH require the performance of a risk assessment to determine the necessary safeguards • When performing this assessment, the following should be considered for each risk area: – Likelihood – Impact – Effectiveness • Prevention • Detection • Mitigation Becoming HITECH
  • 23. Risk Assessment Areas • Areas to Consider: – Current Policies / Procedures • Design Effectiveness • Operating Effectiveness – Application Risks • Role-based Access • Application Controls – Data Assessment (Create, Transmit, Store, Dispose) • Creation • Storage (primary and secondary) • Transmission • Disposal – Organization – External Risks • Environmental Risks (Flood, Power Failure) • Liability – Business Associate/Vendor Agreements Becoming HITECH
  • 24. Remediation Efforts • No policy, procedure, or application should be implemented solely for regulatory purposes • People and Process are still the critical components to a efficient, effective, and compliant organization – The individuals who own the information may be your most effective (and least costly) detective control • Physical / Technical safeguards should be integrated into the processes utilizing the technology to increase efficiency, reliability, and utilization of the information • Compliance practices should be customized to the organization Becoming HITECH
  • 26. Thank You If you have any additional questions, please feel free to contact me: Scott A. Rogerson, CISA, CAPM 412-722-1111 srogerson@hillgroupinc.com The Hill Group, Inc. 2 East Main Street Carnegie, PA 15106-2456 USA www.hillgroupinc.com Becoming HITECH

Notas do Editor

  1. <number>
  2. <number>
  3. <number>
  4. <number>
  5. <number>
  6. <number>
  7. <number>
  8. <number>
  9. <number>
  10. <number>
  11. <number>
  12. <number>