WIXLIB

www.KMCUniversity.com7/9/2022KMCUniversityHIPAA Getting Started with HIPAAComplianceJill FooteHealthCare IT SpecialistKMCUNIVERSITY.COM 2022 KMC UNIVERSITY ALL RIGHTS RESERVEDKMC UNIVERSITY1122Avoid distractionsAvoid multitaskingSilence your phoneTurn off emailnotificationsStay ComfyStand up and stretchoftenMake a list ofquestions as you goVirtual Training TipsIt is More Than Just a ManualHIPAA ComplianceKMCUNIVERSITY.COMKMC UNIVERSITY 2021 KMC UNIVERSITY ALL RIGHTS RESERVED3344Course OutlineWe will discuss:HIPAA Requirements &Patients’ Rights Basics of HIPAA Your HIPAA Status Components of aHIPAA ManualTracking PHIIdentifying BusinessAssociatesRole Based Access AssignmentOverview of Risk ManagementKMCUNIVERSITY.COM 2021 KMC UNIVERSITY ALL RIGHTS RESERVED5855-832-65625KMC UNIVERSITY661

www.KMCUniversity.com7/9/2022What is HIPAA?How Much is Too Much?HIPAA – HealthInsurance Portabilityand Accountability Actor Helping IncreasePaperwork CA/AreYouaCoveredEntity11855-832-6562122

www.KMCUniversity.com7/9/2022The Two Main RulesFour Major ComponentsPrivacy RuleSecurity Rule20 Apr. 200614 Apr. 200414 Apr. 200320 Apr. 2005In December 2000, HHS published afinal Privacy Rule that was latermodified in August 2002In February 2003 HHSpublished a finalSecurity Rule131314Enforcement RuleHITECH Act Enforcement Rule16 Mar. 200629 Oct. 200923 Sep. 2009Breach NotificationRequirement26 Mar. 2013Omnibus RuleMore Rules & Revisions1516The Notice of Privacy PracticesHIPAA Privacy RuleRules and Regulationsto protect individuallyidentifiable healthinformationSets the standards forhow to maintainprivacy for PHI byfocusing onconfidentiality andauthorized access1817855-832-6562183

www.KMCUniversity.com7/9/2022Notice of Privacy PracticesHow your office may use and disclose PHIWhat the patient’s rights are, including how to make acomplaint in your officeWhen the notice becomes effectiveWho can legally obtain the patient’s healthcareinformation (except for TPO)Whom patients can contact for further information aboutthe office’s privacy policiesNotice Of Privacy PracticesThe Patient is in the Driver Seat19192020Notice of Privacy PracticesAcknowledgement- Do You Have a Process?The Patient’s Right DocumentedAttempts Use and DisclosureAuthorization Process &Procedure forhonoring allrequests to restrictdisclosure212122Know Your Patient’s Rights2423855-832-6562244

www.KMCUniversity.com7/9/2022HIPAA Security RuleA set of SecurityStandards for theProtection of ElectronicProtected HealthInformation (ePHI)Fees2526The Three Main SafeguardsePHI- Electronic Protected Health InformationPHI Awareness –key component of HIPAA Security Rule282728Risk AssessmentVirtualScavengerHuntGAME TIMEGet Ready To Raise Your Hand2929855-832-6562KMC UNIVERSITY31315

www.KMCUniversity.com7/9/2022Office of Civil RightsHIPAA Scavenger Hunt1.2.Locate thename of yourHIPAA Officeron a policy orsimilardocumentLocateIncidentResponse &ReportingPolicy3.Locate yourHIPAAtraining log4.Locate your2021 RiskAssessmentReport32323333What Did It Cost You?34343535The OCR PenaltyAudit Expenses- Legal Assistance3636855-832-656237376

www.KMCUniversity.com7/9/2022Not a Good Marketing StrategyHIPAA Evaluation HIPAA Compliance Officer Solid Understanding of Protected Health Information Business Associate Agreements in place with all vendors who are classifiedas Business Associates A list of all assets, devices and applications that access, transmit, or storePHI Training logs Role Based Access assignment Risk Assessment Reports on file for each year Corrective Action Plans with target dates Policies and Procedures that address both the Privacy and Security Rules Solid Contingency Plan and Disaster Recovery plan that is tested each year5,335 patients impactedOffering all affectedpatients 12 months ofcredit monitoringDO THE MATHAvg. 8.99 to 39.95 permonth for creditmonitoring5335 x 8.99 47,961.6538383939Your HIPAA ManualLocationFoldersCreate MainFolder &SubfoldersCloud Based DriveShared NetworkFolderAccessProvide Accessto WorkforceMembersSupport ToolBuilding a HIPAA Manual40404141History of HIPAAHIPAA Manual ContentsKey Components of theRules BAANotice of PrivacyPractice Requirements NPPPatient’s Rights PoliciesEvaluated AuditReadiness Resources Risk AssessmentImportance ofDocumenting a HIPAACompliance Program Risk Management SanctionsCreating a HIPAAManual Workforce TrainingKMC UNIVERSITY4242855-832-6562SummaryHIPAA Overview & Set Up43437

www.KMCUniversity.com7/9/2022NextUp Tracking PHI &IdentifyingBusinessAssociatesWe will discuss: What is PHI? How to IdentifyPHI PHI AwarenessBreakQuick Coffee BreakKMC UNIVERSITY44444545Protected HealthInformationTracking PHIWhat is PHI?You cannotprotectsomething ifyou don’tknow where itresidesRelated to the person’s health,physical care, or payment - in thepast, present or future464746474849855-832-6562Individually IdentifiableHealth Information that ismaintained or transmittedin any medium thisincludes paper, electronicand verbal exchanges.8

www.KMCUniversity.com7/9/2022The Magic 18 17.18.NameAny geographic subdivision smaller than a state including street, city, county,zipDates-Birthdates; treatment dates, etc.Phone numbersFax numberEmail addressSocial Security numbersMedical record numbersHealth Plan beneficiary numbersAccount numbersCertificate or license numbersVehicle ID, including VIN, serial number, license plate numberDevice identifier and serial numbersURLIP addressBiometric identifier, finger and voice printFull face photographsAny other identifier that is unique to the patient50Identifying PHI5151Is It PHI?5253Is it PHI?Count the IdentifiersMr. Mike Brown, New YorkInfo@heavenlychiropractic.comHeavenly Chiropractic888-555-1212Patient Email: anonymous@xyz.com5554855-832-6562559

www.KMCUniversity.com7/9/2022Is it PHI?Posture ScanningApplicationPhotos reside on thedevice and in theapplication565657Tracking PHIPractice ManagementSoftwareEmailOne Drive/ Google DriveCloud Based Back upText Reminder ServiceWebsite Contact Us sitepage5859Web Browser Applications- Portals60855-832-6562Third Party Claims Management Portals6110

www.KMCUniversity.com7/9/2022Email - Scheduling AppsOffice Chat Apps636263Hidden Spots646465Voice Mail AppsFile Sharing Apps66855-832-65626711

www.KMCUniversity.com7/9/2022How is ItAccessed?If you can log in Know the Terms of Compliance696869Identify each application that provides accessto Patient data and personal informationPHI is more than justthe medical recordePHI is the mostdifficult to trackCheck your sign in process- do you have auto fillenabled for your password?AuditYour Workflow&WorkforceMembersDe-Identified PHI doesnot require HIPAAsafeguardsIs the device you use secure? Is the Networksecure?A clinic shouldimplement safeguardsfor both PII and PHIDo you have PHI and PII stored in unsecuredfolders or drives on your device?SummaryTracking PHIKMC UNIVERSITY707171What Is a Business Associate ?We will discuss how to: Identify Vendors Confirm BusinessAssociate Status Create BusinessAssociateAgreementsKMC UNIVERSITY72855-832-656272737312

www.KMCUniversity.com7/9/2022Business Associate“A person or entity, otherthan a member of theworkforce of a coveredentity, who performsfunctions or activities onbehalf of, or providescertain services to acovered entity that involveaccess by the businessassociate to protectedhealth information."74Vendors areMORE than justyour EHR75Identify YourBusiness Associates76777879855-832-656213

www.KMCUniversity.com7/9/20228081Not A BusinessAssociateWorkforce MemberTelephone CompanyElectricianBuilding ManagerConduit company such asPostal Service, UPS,Private Courier8283Vendor NameLocate PrivacyPolicyMake A ListVendor Name –HIPAAVendor Name e Search858514

www.KMCUniversity.com7/9/2022Download Privacy PolicyAvaility86868787Locate All Compliance ResourcesBusiness AssociateAgreementA REQ UIREM ENT88888989 Identify BusinessAssociate (BA)Google Search Initiate Request forBAA If Vendor suppliesReview beforesigning Confirm Signatures,Contact Informationand Date9190855-832-65629115

www.KMCUniversity.com7/9/2022Locate AgreementCheck Dates- Most Recent Version92929393Office Ally BAALocate the BAA Portion949594959697855-832-656216

www.KMCUniversity.com7/9/2022Update Status on BAA ListingDo BAAs Expire?Most BAAs are based onthe terms of useagreement or contractagreementOlder BAAs might have anexpiration dateBAAs do not need to besigned each year unlessvendor makes a revision98989999Audit Your ProcessThe BAA ProcessReview BAA ListingTrack PHI in your clinicReview current AgreementsIdentify all VendorsNotify BA of revisions (if any) or Patient restrictionsLocate Privacy Policy online, download copyConfirm all BAAs are signed and datedList your vendors (include URL, mailing address, phone, email)Send notification to purge (return) data if contract is terminatedDetermine if BAVerify listing matches signed agreements (headcount)Initiate BAA with Cover letterSchedule yearly review of BAsCopy of all BAAs should reside in HIPAA manualFile signed and dated copyTrain entire team to notify CO prior to engaging new vendorUpdate BAA Listing100100105Identify VendorsTrack PHI withVendorsNextUp Identify BusinessAssociatesCreate A ryDocumentProcess in ManualIdentifying Business AssociatesKMC UNIVERSITY106855-832-6562Role BasedAccessAssignments106KMC UNIVERSITY10710717

www.KMCUniversity.com7/9/2022We will discuss: Understanding RoleBased Access Verifying Access &Permissions Setting Permissionsin SoftwarePoll QuestionHow many have individual user- name and password foreach employee on each device in the clinic ?KMC UNIVERSITY108108109109What isRole Based Access?Role Based Access Control is anapproach torestrictingsystem accessto authorizedusers110110111111Assess Job Duties &PHI AccessIdentify Devices112112855-832-656211311318

www.KMCUniversity.com7/9/2022User Account AssignedJustify Necessity114114115115Set Restrictions- PermissionsCore Principle116116117117Protect Your ClinicPHI Access Acknowledgement118118855-832-656211911919

www.KMCUniversity.com7/9/2022Observe IntakeProcessLocate allapplicationsHow Much Access?Look at ScanFoldersLook at Folders/Cloud BasedDrivesCheckPermissions andAccess in PMsoftware/EHRVerify EmailAccessConfirm with WorkforceMemberVerify Access120120121121Identify Your DevicesAssign StatusUsersEmployee Job DutiesApplicationsAccessedPermission LevelverifyPHI AccessAcknowledgmentFormConfirm- SignSummaryRole Based Access AssignmentDocument RBA Log122122KMC UNIVERSITY123123Risk ManagementWHAT YOU NEED TO CONSIDERPoll QuestionHow many in attendance have a HIPAA RiskAssessment Report on file for the year 2021?124124855-832-656212512520

www.KMCUniversity.com7/9/2022Risk AssessmentCorrective Action126126127127Management Is RequiredDefining Risk Unauthorized (malicious or accidental) disclosure,modification, or destruction of informationThe Security Management Process Standard, at§164.308(a)(1)(i), in the Administrative Safeguardssection of the Security Rule, requires covered entitiesto: “implement policies and procedures to prevent,detect, contain, and correct security violations.” Unintentional errors and omissions IT disruptions due to natural or man-made disasters Failure to exercise due care and diligence whenimplementing and operating the IT system129128129Keys to Risk ManagementVulnerabilitiesVulnerability – “ flaw orweakness in systemsecurity procedures,design, implementation,or internal controls thatcould be exercised(accidently triggered orintentionally exploited)and result in a securitybreach or a violation ofthe system’s ntTraining13113121

www.KMCUniversity.com7/9/2022IdentifyIdentify Devices132132133133UsersAsset LogIdentify all areas where PHI is created,maintained, received, and/or transmittedListitem, location, OS,serial 35135ePHI HidingSpotsThreats USB Drives Hard Drives ofCopiers/Scanners/ FaxMachines Staff Text messages Voice mail recordings/Dictation (Smartphone) Old EMR System 3rd Party backup orcloud service136136855-832-656213713722