1 / 34

HIPAA Compliance for Mental Health Practices Mark Norby , CHP, & Cassidy Lach, MA, LPC

HIPAA Compliance for Mental Health Practices Mark Norby , CHP, & Cassidy Lach, MA, LPC. “First, Do No Harm.” Auguste François Chomel (1788–1858) Parisian pathologist and clinician. Why do we care. Possible Negative Consequences of mental health breach to the patient.

jerod
Télécharger la présentation

HIPAA Compliance for Mental Health Practices Mark Norby , CHP, & Cassidy Lach, MA, LPC

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA Compliance for Mental Health PracticesMark Norby, CHP, &Cassidy Lach, MA, LPC

  2. “First, Do No Harm.” AugusteFrançois Chomel (1788–1858) Parisian pathologist and clinician

  3. Why do we care • Possible Negative Consequences of mental health breach to the patient

  4. HIPAA red tape should never stand in the way of disclosures that are necessary for the welfare of the patient or the general public’s health and safety.

  5. Exceptions to HIPAA • The Privacy Rule permits a health care provider to disclose necessary information about a patient to law enforcement, family members of the patient, or other persons, when the provider believes the patient presents a serious and imminent threat to self or others.

  6. Exceptions, Cont. • The Privacy Rule permits a HIPAA covered entity, such as a hospital, to disclose certain protected health information, including the date and time of admission and discharge, in response to a law enforcement official’s request, for the purpose of locating or identifying a suspect, fugitive, material witness, or missing person.  See 45 CFR § 164.512(f)(2). • http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/mhguidance.html

  7. Exceptions, cont. • Where a patient is not present or is incapacitated, a health care provider may share the patient’s information with family, friends, or others involved in the patient’s care or payment for care, as long as the health care provider determines, based on professional judgment, that doing so is in the best interests of the patient.

  8. Healthcare Under Attack “Now healthcare is a considered a top target. The speed of these attacks and the volume with which they're occurring is increasing significantly. It just requires a much more robust response across the U.S. government and private sector.” Major intrusions into healthcare providers' computer systems now are happening at the pace of two or three a day.” -- Jim Trainor, deputy assistant director, FBI Cyber Division April, 2015 http://searchhealthit.techtarget.com/news/4500246657/Federal-authorities-on-to-healthcare-cybercrime

  9. OCR Director Jocelyn Samuels indicated that OCR will continue to focus on “high impact” breaches that demonstrate systemic deficiencies to send a message to organizations that fail to conduct risk analysis, ignore known threats or have insufficient workforce training. That’s a warning that the practice of imposing large fines and resolution agreements on organizations OCR believes have disregarded HIPAA rules will continue. Health Data Management magazine (Feb. 2015)

  10. Examples of Privacy Breaches • Talking in public areas, talking too loudly, talking to the wrong person • Lost/stolen or improperly disposed of paper, mail, films, notebooks • Lost/stolen laptops, tablets, smart phones, media devices (video and audio recordings) • Lost/stolen tapes, disks, CDs, flash drives, memory drives, SD cards • Hacking of unprotected computer systems • Snail mail, email or faxes sent to the wrong address, wrong person, or wrong number • User not logging off of computer systems, allowing others to access their computer or system

  11. Violations Due to Willful Neglect • Violations resulting from willful neglect, defined to mean the conscious, intentional failure or reckless indifference to the obligation to comply with the regulations, will trigger the highest levels of penalties. Penalties arising from willful neglect cannot be waived.

  12. Copier hard drives ~ $1.2M • PHI accessible over internet ~ $1.7M • Senior leaders leak PHI to press ~ $275k • Firewall protection disabled for 10 months ~ $400k • Unencrypted stolen laptop with PHI of 441 patients ~ $50k • Unencrypted stolen laptop with PHI of 3,621 patients ~ $1.5M • Stolen USB hard drive ~ $1.7M • Appointment calendar on the internet ~ $100k • 57 unencrypted hard drives stolen ~ $1.5M • Staff looking at celebrity records ~ $865k • Lost paper documents ~ $1M • Failure to provide copies of medical records to patients ~ $4.3M • Illegal use of PHI for marketing ~ $35k • Inappropriate disposal of pill bottles ~ $1M and $2.25M • Loss of unencrypted backup media and laptops ~ $100k

  13. If we have a breach….. • Inform all patients involved • Inform the Dept. of Health and Human Services • Implement corrections within 30 days If more than 500 patients from one state are involved: • Conduct a media campaign • Have name added to the HHS website • Wait for the audits and the fines

  14. ubiquitous Building Your HIPAA Compliance Program

  15. Mark Norby, CHPWCA Regional Training Center • 15 Years of IT experience • 8 Years as the CIO of the Community Health Center of Central Wyoming and University of Wyoming Family Medicine Residency Program • 6 Years as a HIPAA Compliance Officer • 3 Years as a HIPAA Compliance Consultant • Provided help to more than 100 hospitals and clinics throughout Wyoming and Montana

  16. Disclaimers • The presenter is not an attorney and does not give legal advice • There are many different interpretations of HIPAA regulations • Materials referenced are meant to serve as examples and may not be suitable for every organization

  17. The Power to Heal; an Obligation to Protect

  18. Privacy and Security Starts at the Top • Designate a Privacy and Security Officer • Make sure that each has a job description • Select a qualified professional to assist you with the Security Risk Analysis • Promote a culture of protecting patient privacy

  19. Document Your Process, Findings, and Actions • Records will be essential if you are audited • Good faith effort can be the difference between a CAP and a fine • Maintain records for six years

  20. Examples of Documentation to Keep • Completed checklists • Security Risk Analysis Report(s) • Risk Management Action Plan • Business Associate Agreements • Trainings for staff • System monitoring results • Policies and Procedures • Meeting minutes

  21. Conduct a Security Risk Analysis • An ongoing process to identify risks to CIA • It’s the first step towards Security Rule compliance • NOT optional – regardless of size • A checklist will not suffice • Health & Human Services recommends a nine step process as outlined in NIST SP800-66 • Consistently review/update and keep documentation • Soak up the education!

  22. Develop an Action Plan (Risk Management Plan) • Use Security Risk Analysis to identify threats and vulnerabilities • Focus on high priorities and low hanging fruit • Identify what needs to be done • Who is going to do it • When will it be done • The plan must include the following five components:

  23. 1) Physical Safeguards • Facility security ~ Is the server room locked, who has keys to the building? • Workstation and office security ~ Are passwords written on a sticky note, do workstations auto log-off? • Protecting portable devices ~ Encryptions, auto log-off,

  24. 2) Administrative Safeguards • Designated security officer • Workforce training and oversight • Controlling information access • Periodic security reassessment

  25. 3) Technical Safeguards • Controls on access to EHR and other software • Use of audit logs to monitor activities • Secure exchanges of electronic data

  26. 4) Policies and Procedures • Establish protocols for administrative, physical, and technical safeguards • Specify individual patient rights • Documented incident response plans • Processes for breach notification and sanctions

  27. 4) Policies and Procedures (cont’d) • Train staff on policies and procedures • Consistently apply policies and procedures • Periodically review and update P&P’s • Retain old P&P’s for six years after they have been updated or replaced

  28. 5) Organizational Requirements • Breach notification and associated policies, are they in place and have staff been trained • Business associate agreements, are they in place and is the BA aware of their responsibilities

  29. Business Associates • Responsibilities are very similar to those of a Covered Entity (CE) • CE is responsible for obtaining a Business Associate agreement obligating the BA to safeguard PHI • Breach notification requirements must be met • CE must respond to non-compliance

  30. Prevent with Education and Training • Build your policies and procedures and train, train, train. Including employees, volunteers, trainees and contractors • Keep copies of your P&P’s easy to find • Formally educate and train your workforce at least once a year or when changes happen

  31. Periodic Tasks to Consider • HIPAA Refresher Training ~ at least annually • Review of access rights ~ annually • Re-sign Confidentiality Agreements ~ annually • IT inventory ~ annually • Facility Walkthrough Inspection ~ annually

  32. Periodic Tasks to Consider • Assess firewall, router, anti-virus settings for optimum security • Annual report to HHS

  33. On behalf of Cassidy Lach, LPC, M.A. and theWCA Regional Training CenterThank You! Mark Norby, Certified HIPAA Professional Instructor/HIPAA Consultant Office:  307.237.4400 ext. 31 Cell:  307.258.5322 mnorby@wyomingcontractors.org

More Related