ACS Sponsored Practice Management Teleconference PDF Free Download

2y ago

76 Views

1 Downloads

961.65 KB

25 Pages

Report/dmca

Download PDF

Transcription

ACS Sponsored Practice Management Teleconference Series April 6, 2005Preparing for the HIPAA Security RulesThe final HIPAA Security Rules were published on February 20, 2003 and in many respects they add to and expand onthe HIPAA Privacy Rules. Dealing primarily with the safeguarding of Protected Health Information (PHI) in an electronicformat, they also expand on the physical safeguards needed for paper-based medical records. This course will provide abroad overview of the Security Rules and the actions that need to be taken prior to the effective date of April 20, 2005.These actions fall into three unique groups Administrative Safeguards, Physician Safeguards and Technical Safeguards. The HIPAA Security Rule, like the Privacy Rule is scaleable, which means that small practices will not be expected to have as comprehensive program for compliance but critical actionswill be needed to comply and to assure the safety of PHI.This Practice Management Teleconference is just 99 for ACS Fellows & their Practices: A 90-minute live teleconference including a formal presentation and time for Q&A The course offered live on Wednesday April 6th (convenient for your staff) and will beavailable via the Internet shortly thereafter. Your registration fee covers either one or bothpresentations and handout materials. The ability for ACS Fellows and practice managers to e-mail follow-up questions toEconomedix Practice Management Advisors for personalized responsesSponsored by theAmerican Collegeof SurgeonsCourse Objectives - Completion of this Practice Management Course will provide:1. A broad understanding of the HIPAA Security Rules2. Methods to understand and measure “Risk Assessment” to define current security3. A definition of actions that must be taken for medical practices to prepare for the implementation4. Sample HIPAA Security Policies and Procedures that will be needed for small to mid sized practices5. An understanding of employee training requirements needed to fully implement the HIPAA Security RulesCME Certification Statement - This activity has been planned and implemented in accordance with the Essential Areasand policies of the Accreditation Council for Continuing Medical Education (ACCME) through the joint sponsorship of theAmerican College of Surgeons and Economedix, LLC. The American College of Surgeons is accredited by the ACCMEto provide continuing medical education to physicians.The American College of Surgeons designates a maximum of 1.5 Category 1 credits toward the AMA Physician's Recognition Award, for successful completion of this course. To earn the CME credits through the American College of Surgeons, the individual must dial into the teleconference, remain on the telephone line for the full 90-minute session, thencomplete the combination Evaluation / CME Form that will be included with the course materials. The Evaluation / CMEform must be completed and FAXED back within seven days following the date of the teleconference.Faculty - The faculty for the course is Mr. R. Thomas (Tom) Loughrey, MBA. Mr. Loughrey is CEO of Economedix anda noted practice management consultant to physicians, medical offices and medical societies. For over a decade, Mr.Loughrey has provided consulting services to the College as a part of the Consultant’s Corner at the annual ACS ClinicalCongress and regularly is engaged by ACS to speak and teach at meetings and workshops throughout the country.Registration & Information - This completed form can be Faxed Toll Free to 877-813-9784; or mailed to Economedix 160 William Pitt Way - Pittsburgh, PA 15238; For complete details and secure On-Line Registration simply go to:http://YourMedPractice.com/ACSThank you for your interest in this HIPAA Program!Practice:Address:City: State: Zip:Contact:Phone: Fax:E-Mail:PM Program: [ ] Preparing for the HIPAA Security Rules we plan on attending the following sessions:[ ] Wednesday April 6th @ 3 PM Eastern, [ ] Via the Internet or [ ] Both Presentations.Form of Payment:[ ] Check Payable to Economedix, LLC & mailed to: 160 William Pitt Way Pittsburgh, PA 15238or [ ] Credit / Debit Card (MC, Visa, Discover or American Express)Card Number (15 or 16 digits): Expiration Date: /Name on Card:

American College of SurgeonsPreparing for the HIPAA Security Rules — Dates: 04/06/2005EVALUATION / CME FORMNAME:ACS Fellow #:Telephone #:E-mail Address:StronglyAgreeAgree1. Program topics and content were consistent with printed objectives543212. Program topics and content was relevant to my educational needs543213. Presenters were informative and added knowledge to the session543214. Discussion time was adequate and enhanced understanding of subject543215. Acquired knowledge will be applied in my practice environment543216. Supplemental written materials helped clarify course content543217. I will seek additional information on this subject54321VeryGoodGoodFairPoorVeryPoor8. The quality of the audio presentation was543219. Overall this Practice Management Course was54321Please circle one number for each statementNeutral Disagree StronglyDisagreeGeneral Comments for this Course:Years out ofResidency TrainingSurgical SpecialtyPrimary Type of Practice[] Colon & Rectal Surgery[] Pediatric Surgery[] 1-5[] Private Practice[] General Surgery (includes[] Plastic Surgery[] 6-10[] PPO/HMO[] Neurological Surgery[] Thoracic Surgery[] 11-20[] Group Practice[] Obstetrics/Gynocological Surgery[] Urological Surgery[] 21-30[] Academic Institution[] Ophthalmic Surgery[] Vascular Surgery[] Over 30[] Hospital[] Orthopaedic Surgery[] Other - Please Specify Below:[] OtorhinolaryngologyOncology and Trauma)MilitaryOther - Please Specify Below:Please FAX this Evaluation / CME Form Toll Free to: 877-813-9784 within 7 days following thisTeleconference to receive CME recognition from the American College of Surgeons. Thank You !

Sign In SheetEducational Activity: HIPAA Security TrainingDates: April 6, 2005 @ 3 PM EasternFaculty: R. Thomas Loughrey, MBA, CCC-P of Economedix, LLCSponsor: The American College of Surgeons1.2.3.4.5.6.7.8.9.10.11.12.

Economedix, LLCThis presentation iscopyright 2004 - 2005!"#")", "- # %&* -' ((# !","#".#,#,#"#2 3!&& ,1, '#/## * 0, ,Economedix, LLCThis presentation iscopyright 2004 - 20054 # Overview of the HIPAA Security Rule Integration with the HIPAA Privacy Rule Thinking about security and how itrelates to your size practice The Four Requirements of the Rule Risk Analysis and Risk Management Business Associate Contracts Implementation PlanEconomedix, LLCThis presentation iscopyright 2004 - 20051

%5"- !5!67783"")69' 677:5-"(3"/0Economedix, LLCThis presentation iscopyright 2004 - 2005%5".!";!! ?"153!Economedix, LLCThis presentation iscopyright 2004 - 20052"("! 5;*?5",5/! 5''0'"*Economedix, LLCThis presentation iscopyright 2004 - 20052

";?;?!" !""!5!5Economedix, LLCThis presentation iscopyright 2004 - 2005"*"@&&&Economedix, LLCThis presentation iscopyright 2004 - 20053" #!/0 &@''&!'!.&!&!!5 3Economedix, LLCThis presentation iscopyright 2004 - 20053

3!"@&#' . '''!33&5"! 5! Economedix, LLCThis presentation iscopyright 2004 - 20053!" ! "!!!&'!!Economedix, LLCThis presentation iscopyright 2004 - 20053 "3,!'!"!5 *&&@9633"3553Economedix, LLCThis presentation iscopyright 2004 - 20054

3 3," 3.335 &;';5?!!!?5.5 !*5'35*Economedix, LLCThis presentation iscopyright 2004 - 2005A#"&-"B&)Economedix, LLCThis presentation iscopyright 2004 - 2005,"!! 33/0" 55" ";*!?Economedix, LLCThis presentation iscopyright 2004 - 20055

"5!5!" @&''!&&!!5 Economedix, LLCThis presentation iscopyright 2004 - 2005"!"A "!35!Economedix, LLCThis presentation iscopyright 2004 - 2005"!3"&&'!Economedix, LLCThis presentation iscopyright 2004 - 20056

"( !!&( !55&'!5!!Economedix, LLCThis presentation iscopyright 2004 - 2005")& !/'! 35!'&&5 50/A& C7703&Economedix, LLCThis presentation iscopyright 2004 - 20053"2&!5@''5'5 35 ''!'"&''5 ''''Economedix, LLCThis presentation iscopyright 2004 - 20057

",&"!&" &5'"!5&5 Economedix, LLCThis presentation iscopyright 2004 - 2005 "#!'!5!" !&2 ") !&,!. ' Economedix, LLCThis presentation iscopyright 2004 - 2005 "D%!E-&!E/5! '"'!5'0!&, 5"!!&.'Economedix, LLCThis presentation iscopyright 2004 - 20058

"5&&35&#'&)5! !EEconomedix, LLCThis presentation iscopyright 2004 - 2005")&1."F5 3&"-' "15Economedix, LLCThis presentation iscopyright 2004 - 2005" , 1&''' &@;''! ?&!&@;!5! !G?Economedix, LLCThis presentation iscopyright 2004 - 20059

")&5"&,;)?"!&!Economedix, LLCThis presentation iscopyright 2004 - 2005"&,!! 5!3!"&3* #)&3#)#5 3#Economedix, LLCThis presentation iscopyright 2004 - 2005""" )!!5!E"3"553" -"" #!"".5Economedix, LLCThis presentation iscopyright 2004 - 200510

HIPAASecurityTopics1.Security 101 forCovered Entities2.Security Standards- AdministrativeSafeguards3.Security Standards- PhysicalSafeguards4.Security Standards- TechnicalSafeguards5.Security Standards- Organizational,Policies &Procedures, andDocumentationRequirements6.Basics of RiskAnalysis & RiskManagement7.Implementation forthe Small ProviderSecuritySERIES1 Security 101 for Covered EntitiesWhat is the Security Series?The security series of papers will provide guidance from the Centers forMedicare & Medicaid Services (CMS) on the rule titled “Security Standards forthe Protection of Electronic Protected Health Information”, found at 45 CFRPart 160 and Part 164, Subparts A and C. Thisrule, commonly known as the Security Rule,Compliance Deadlineswas adopted to implement provisions of theNo later than April 20, 2005Health Insurance Portability andfor all covered entitiesAccountability Act of 1996 (HIPAA). Theexcept small health plansseries will contain seven papers, each focusedon a specific topic related to the Security Rule. which have until no laterthan April 20, 2006.The papers, which cover the topics listed tothe left, are designed to give HIPAA covered entities insight into the SecurityRule, and assistance with implementation of the security standards. While thereis no one approach that will guarantee successful implementation of all thesecurity standards, this series aims to explain specific requirements, the thoughtprocess behind those requirements, and possible ways to address the provisions.This first paper in the series provides an overview of the Security Rule and itsintersection with the HIPAA Privacy Rule, the provisions of which are at 45CFR Part 160 and Part 164, Subparts A and E.Administrative SimplificationCongress passed the Administrative Simplification provisions of HIPAA,among other things, to protect the privacy and security of certain healthinformation, and promote efficiency in the health care industry through the useof standardized electronic transactions.The health care industry is workingto meet these challenging goalsthrough successful implementationof the AdministrativeSimplification provisions ofHIPAA. The Department ofHealth and Human Services (HHS)has published rules implementing anumber of provisions, including:Volume 2 /Paper 1Security RegulationThe final Security Rule can beviewed and downloaded from theCMS Website at:http://www.cms.hhs.gov/hipaa/hipaa21November, 2004

1 Security 101 for Covered Entities HIPAAAdministrativeSimplification Privacy ElectronicTransactions andCode Sets * National Identifiers Security * NOTE: The originaldeadline for compliancewith the transactions andcode sets standards wasOctober 16, 2002 for allcovered entities exceptsmall health plans, whichhad until October 16, 2003to comply.The AdministrativeSimplification ComplianceAct provided a one-yearextension to coveredentities that were not smallhealth plans, if they timelysubmitted complianceplans to HHS. Privacy Rule – The deadline for compliance with privacyrequirements that govern the use and disclosure of protected healthinformation (PHI) was April 14, 2003, except for small health planswhich had an April 14, 2004 deadline. (Protected health information,or “PHI”, is defined at 45 CFR § 160.103, which can be found on theOCR website at http://hhs.gov/ocr/hipaa.)Electronic Transactions and Code Sets Rule – All covered entitiesshould have been in compliance with the electronic transactions andcode sets standard formats as of October 16, 2003.National identifier requirements for employers, providers, andhealth plans - The Employer Identification Number (EIN), issued bythe Internal Revenue Service (IRS), was selected as the identifier foremployers. Covered entities must use this identifier effective July 30,2004 (except for small health plans, which have until August 1, 2005).The National Provider Identifier (NPI) was adopted as the standardunique health identifier for health care providers. The Final Rulebecomes effective May 23, 2005. Providers may apply for NPIs on orafter that date. The NPI compliance date for all covered entities,except small health plans, is May 23, 2007; the compliance date forsmall health plans is May 23, 2008. The health plan identifier rule isexpected in the coming years.Security Rule - All covered entities must be in compliance with theSecurity Rule no later than April 20, 2005, except small health planswhich must comply no later than April 20, 2006. The provisions of theSecurity Rule apply to electronic protected health information (EPHI).Who must comply?NOTE: The definition ofcovered entities providedhere summarizes theactual definitions found inthe regulations. For thedefinitions of the threetypes of covered entities,see 45 C.F.R. § 160.103which can be found at:www.hhs.gov/ocr/hipaaAll HIPAA covered entities must comply with the Security Rule. In general,the standards, requirements, and implementation specifications of HIPAAapply to the following covered entities: Covered Health Care Providers - Any provider of medical or otherhealth care services or supplies who transmits any health informationin electronic form in connection with a transaction for which HHS hasadopted a standard.Health Plans - Any individual or group plan that provides or pays thecost of health care (e.g., a health insurance issuer and the Medicareand Medicaid programs).Volume 2 /Paper 12November, 2004

1 Security 101 for Covered EntitiesHIPAA SECURITYSTANDARDSSecurity Standards:General Rules---ADMINISTRATIVESAFEGUARDSSecurity ManagementProcessAssigned SecurityResponsibilityWorkforce SecurityInformation AccessManagementSecurity Awarenessand TrainingSecurity IncidentProceduresContingency PlanEvaluationBusiness AssociateContracts and OtherArrangementsPHYSICALSAFEGUARDSFacility AccessControlsWorkstation UseWorkstation SecurityDevice and MediaControlsTECHNICALSAFEGUARDSAccess ControlAudit ControlsIntegrityPerson or EntityAuthenticationTransmission SecurityORGANIZATIONALREQUIREMENTS- Business AssociateContracts & OtherArrangements- Requirements forGroup Health PlansPOLICIES &PROCEDURES &DOCUMENTATIONREQUIREMENTS Health Care Clearinghouses - A public or private entity thatprocesses another entity’s health care transactions from astandard format to a non-standard format, or vice-versa.Medicare Prescription Drug Card Sponsors –Anongovernmental entity that offers an endorsed discount drugprogram under the Medicare Modernization Act. This fourthcategory of “covered entity” will remain in effect until the drugcard program ends in 2006.For more information on who is a covered entity under HIPAA, visit the Officefor Civil Rights (OCR) website at www.hhs.gov/ocr/hipaa or the CMS websiteat http://www.cms.hhs.gov/hipaa/hipaa2. An online tool to determine whetheran organization is a covered entity is available on the CMS website, along witha number of frequently asked questions (FAQs).HIPAA SECURITYWhy Security?Confidentiality Prior to HIPAA, no generally accepted set ofEPHI is accessible only bysecurity standards or general requirements forauthorized people andprotecting health information existed in theprocesseshealth care industry. At the same time, newtechnologies were evolving, and the healthIntegrity care industry began to move away from paperEPHI is not altered orprocesses and rely more heavily on the use ofdestroyed in ancomputers to pay claims, answer eligibilityunauthorized mannerquestions, provide health information andAvailability conduct a host of other administrative andEPHI can be accessed asclinically based functions. For example, inneeded by an authorizedorder to provide more efficient access topersoncritical health information, covered entitiesare using web-based applications and other “portals” that give physicians,nurses, medical staff as well as administrative employees more access toelectronic health information. Providers are also using clinical applicationssuch as computerized physician order entry (CPOE) systems, electronic healthrecords (EHR), and radiology, pharmacy,NOTE: Security is not aand laboratory systems. Health plans areone-time project, but ratherproviding access to claims and carean on-going, dynamicmanagement, as well as member selfprocess that will create newservice applications. While this means thatchallenges as coveredthe medical workforce can be more mobileentities’ organizations andand efficient (i.e., physicians can checktechnologies change.patient records and test results fromVolume 2 /Paper 13November, 2004

1 Security 101 for Covered Entitieswherever they are), the rise in the adoption rate of these technologies creates an increase in potentialsecurity risks.As the country moves towards its goal of a National Health Information Infrastructure (NHII), and greateruse of electronic health records, protecting the confidentiality, integrity, and availability of EPHI becomeseven more critical. The security standards in HIPAA were developed for two primary purposes. First, andforemost, the implementation of appropriate security safeguards protects certain electronic health careinformation that may be at risk. Second, protecting an individual’s health information, while permittingthe appropriate access and use of that information, ultimately promotes the use of electronic healthinformation in the industry – an important goal of HIPAA.The Privacy Rule and Security Rule ComparedThe Privacy Rule sets the standards for, among other things, who mayhave access to PHI, while the Security Rule sets the standards for ensuringthat only those who should have access to EPHI will actually have access.NOTE: The SecurityWith the passing of both the privacy and the electronic transactions andRule applies only toEPHI, while thecode set standards compliance deadlines, many covered entities arePrivacy Rule appliesfocusing on the security requirements. In developing the Security Rule,to PHI which may beHHS chose to closely reflect the requirements of the final Privacy Rule.in electronic, oral, andThe Privacy Rule requires covered entities to have in place appropriatepaper form.administrative, physical, and technical safeguards and to implement thosesafeguards reasonably. As a result, covered entities that have implementedthe Privacy Rule requirements in their organizations may find that theyhave already taken some of the measures necessary to comply with the Security Rule. The primarydistinctions between the two rules follow: Electronic vs. oral and paper: It is important to note that the Privacy Rule applies to allforms of patients’ protected health information, whether electronic, written, or oral. Incontrast, the Security Rule covers only protected health information that is in electronicform. This includes EPHI that is created, received, maintained or transmitted. For example,EPHI may be transmitted over the Internet, stored on a computer, a CD, a disk, magnetictape, or other rela

HIPAA Security SERIES Compliance Deadlines No later than April 20, 2005 for all covered entities except small health plans which have until no later than April 20, 2006. Security Regulation Management The final Security R