2024 HIPAA Compliance Training Guide to the Compliance Officers
ConferencePanel1
280 views
20 slides
Jun 07, 2024
Slide 1 of 20
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
About This Presentation
Join us for a comprehensive 90-minute lesson designed specifically for Compliance Officers and Practice/Business Managers. This 2024 HIPAA Training session will guide you through the critical steps needed to ensure your practice is fully prepared for upcoming audits. Key updates and significant chan...
Slide Content
HIPAA Training for the Compliance Officer
Brian L. Tuttle, CPHIT, CHA, CHP, CBRA, CISSP, CCNA, Net +
Brian L. Tuttle, CPHIT, CHA, CHP, CBRA, CISSP, CCNA, Net +
•The Health Insurance Portability Act of 1996 (HIPAA)
•Enacted by the United States Congress and signed by President
Clinton in 1996.
•Enacted by the United States Congress and signed by President
Clinton in 1996.
Bi-partisan bill also known as the Kennedy-Kassebaum Act named
after two of its major sponsors:
•Senator Ted Kennedy (D) Massachusetts
•Senator Nancy Kassebaum (R) Kansas
after two of its major sponsors:
•Senator Ted Kennedy (D) Massachusetts
•Senator Nancy Kassebaum (R) Kansas
The Bush Years
Technical corrections to the law:
•Mandates that OCR enforce HIPAA.
•HHS allowed the public to make comments on what
modifications, if any, should be made to the Privacy Rule
•2003, the Privacy Rule was finalized and covered entity
compliance was required by April 14 of 2003.
Technical corrections to the law:
•Mandates that OCR enforce HIPAA.
•HHS allowed the public to make comments on what
modifications, if any, should be made to the Privacy Rule
•2003, the Privacy Rule was finalized and covered entity
compliance was required by April 14 of 2003.
The Obama Years
In 2009, President Obama signed the Health Information Technology for Economic and
Clinical Health Act “HITECH” Act.
Introduced as part of the the American Recovery and Reinvestment Act, or ARRA.
The HITECH Act introduced incentives to improve technology infrastructure and to
encourage providers to switch to electronic health record (EHR) platforms.
Breach Notification Rule introduced, requires covered entities and business associates to
report data breaches to OCR, and to provide notice of a breach to individuals affected by
the breach.
Enforcement Rule introduced, providing for a tiered financial penalty system.
In 2009, President Obama signed the Health Information Technology for Economic and
Clinical Health Act “HITECH” Act.
Introduced as part of the the American Recovery and Reinvestment Act, or ARRA.
The HITECH Act introduced incentives to improve technology infrastructure and to
encourage providers to switch to electronic health record (EHR) platforms.
Breach Notification Rule introduced, requires covered entities and business associates to
report data breaches to OCR, and to provide notice of a breach to individuals affected by
the breach.
Enforcement Rule introduced, providing for a tiered financial penalty system.
Privacy Rule
•In general, the Privacy Rule covers protected health
information (PHI) in all forms.
•The Privacy Rule sets the standards spelling out how you
should control PHI
•More analytical based on “do’s and don’t.s”
•In general, the Privacy Rule covers protected health
information (PHI) in all forms.
•The Privacy Rule sets the standards spelling out how you
should control PHI
•More analytical based on “do’s and don’t.s”
Security Rule
The Security Rule only covers PHI in electronic form. The
Security Rule defines the standards that you must implement
to provide basic safeguards to protect EPHI
More abstract and based on risk
The Security Rule only covers PHI in electronic form. The
Security Rule defines the standards that you must implement
to provide basic safeguards to protect EPHI
More abstract and based on risk
Again, the HIPAA Privacy Rule vs. HIPAA Security Rule
– what’s the difference?
•HIPAA Privacy Rule - defined as the right of an individual to keep his/her
individual health information from being disclosed. Privacy encompasses
controlling who is authorized to access patient information; and under
what conditions patient information may be accessed, used and/or
disclosed to a third party. The HIPAA Privacy Rule applies to ALL
protected health information.
•HIPAA Security Rule - mechanisms in place to protect the privacy of
electronic health information - includes the ability to control access to
patient information, as well as to safeguard patient information from
unauthorized disclosure, alteration, loss or destruction. Security is typically
accomplished through operational and technical controls. Since so much PHI
is now stored and/or transmitted by computer systems, the HIPAA Security
Rule was created to specifically address ELECTRONIC protected health
information.
– what’s the difference?
•HIPAA Privacy Rule - defined as the right of an individual to keep his/her
individual health information from being disclosed. Privacy encompasses
controlling who is authorized to access patient information; and under
what conditions patient information may be accessed, used and/or
disclosed to a third party. The HIPAA Privacy Rule applies to ALL
protected health information.
•HIPAA Security Rule - mechanisms in place to protect the privacy of
electronic health information - includes the ability to control access to
patient information, as well as to safeguard patient information from
unauthorized disclosure, alteration, loss or destruction. Security is typically
accomplished through operational and technical controls. Since so much PHI
is now stored and/or transmitted by computer systems, the HIPAA Security
Rule was created to specifically address ELECTRONIC protected health
information.
Business Associate (Definition)
•2024 will show increased enforcement on BA’s
•Business Associates (BA’s) are individuals or
entities who create, receive, maintain, or
store private health information on behalf of a
covered entity.
•Example: Answering Services, Medical
Transcription, IT groups, Billing companies,
shredding services are clearly under the
auspices of “Business Associate”
•2024 will show increased enforcement on BA’s
•Business Associates (BA’s) are individuals or
entities who create, receive, maintain, or
store private health information on behalf of a
covered entity.
•Example: Answering Services, Medical
Transcription, IT groups, Billing companies,
shredding services are clearly under the
auspices of “Business Associate”
Risks of Telemedicine (Telecommuting)
Telecommuting Policy Should be in Place
•Ideally a good telecommuting program includes working a
paperless work environment (less risks)
•Under no circumstances should practice business information
or participant information be disclosed in any way to
individuals who are not privy to such information.
Telecommuting Policy Should be in Place
•Ideally a good telecommuting program includes working a
paperless work environment (less risks)
•Under no circumstances should practice business information
or participant information be disclosed in any way to
individuals who are not privy to such information.
Telecommuting
•Telecommuting does not replace the need for child or
dependent care.
•All staff members should be expected to make arrangements
for children or dependents that require care to ensure that
they do not interfere with your performance expectations
and/or be privy to any confidential patient interactions.
•Acceptable arrangements include an off-site day care or
another primary caregiver in your home.
•No one other than the employee should be allowed to use the
practice owned computer or personally owned computers (if
used to access, transmit, or store PHI)
•Telecommuting does not replace the need for child or
dependent care.
•All staff members should be expected to make arrangements
for children or dependents that require care to ensure that
they do not interfere with your performance expectations
and/or be privy to any confidential patient interactions.
•Acceptable arrangements include an off-site day care or
another primary caregiver in your home.
•No one other than the employee should be allowed to use the
practice owned computer or personally owned computers (if
used to access, transmit, or store PHI)
HIPAA PRIVACY RULE
CHANGES TO TAKE AFFECT IN 2024
1.Changes to Right of Access
2.Changes relating to Care Coordination and
Information Sharing
3.Necessity to update the Notice of Privacy
Practices
CHANGES TO TAKE AFFECT IN 2024
1.Changes to Right of Access
2.Changes relating to Care Coordination and
Information Sharing
3.Necessity to update the Notice of Privacy
Practices
Right of Access
•Allows patients right to take notes and use “personal resources”
such as a smartphone to take pics of their PHI
•Changes in Response Time for Requests – timeframe for requests
change from 30 days with optional 30 day extension to 15 days with
an optional 15 day extension
•Rights to PHI in Form and Format Requested by Patient – “readily
producible” copies of PHI (to include EPHI) must be provided
through secure application program interfaces (API’s) via
applications chosen by the individual
•Requirement to deliver copies of PHI in any form and format
required by applicable state or other laws
•Eased Identity Verification – prohibits covered entities from
imposing unreasonable verification measures such as notarized
signatures or proof of identification in person (when other credible,
more convenient methods are available)
•Allows patients right to take notes and use “personal resources”
such as a smartphone to take pics of their PHI
•Changes in Response Time for Requests – timeframe for requests
change from 30 days with optional 30 day extension to 15 days with
an optional 15 day extension
•Rights to PHI in Form and Format Requested by Patient – “readily
producible” copies of PHI (to include EPHI) must be provided
through secure application program interfaces (API’s) via
applications chosen by the individual
•Requirement to deliver copies of PHI in any form and format
required by applicable state or other laws
•Eased Identity Verification – prohibits covered entities from
imposing unreasonable verification measures such as notarized
signatures or proof of identification in person (when other credible,
more convenient methods are available)
Mitigating Steps for Theft
•HARDWARE ENCRYPTION
•Remote Tracking – GPS tracking ability, this is now
standard on iPHones using “Find my iPhone”
function
•Remote Disabling – secondary layer of protection but
will not protect if SIM card was stolen first….
•Remote Memory Wipe – must be installed prior via
app or function (last resort)
•HARDWARE ENCRYPTION
•Remote Tracking – GPS tracking ability, this is now
standard on iPHones using “Find my iPhone”
function
•Remote Disabling – secondary layer of protection but
will not protect if SIM card was stolen first….
•Remote Memory Wipe – must be installed prior via
app or function (last resort)
2024 Mobile Devices
•HHS issued guidance addressing the extent to which PHI is protected on
mobile devices. Although the HIPAA Privacy Rule and Security Rule
(protecting PHI when maintained or transmitted electronically) provide
protections for the use and disclosure of PHI held or maintained by
covered entities and their business associates, they do not address PHI
accessed through or stored on personal devices owned by individual
patients.
•Example: although PHI maintained on electronic devices owned by a
covered entity would be protected from disclosure by HIPAA, once a
patient downloads that information to a personal device, HIPAA would no
longer protect it.
•HHS issued guidance addressing the extent to which PHI is protected on
mobile devices. Although the HIPAA Privacy Rule and Security Rule
(protecting PHI when maintained or transmitted electronically) provide
protections for the use and disclosure of PHI held or maintained by
covered entities and their business associates, they do not address PHI
accessed through or stored on personal devices owned by individual
patients.
•Example: although PHI maintained on electronic devices owned by a
covered entity would be protected from disclosure by HIPAA, once a
patient downloads that information to a personal device, HIPAA would no
longer protect it.
TEXTING Positives in Healthcare
•Texting CAN provide great advantages in
health care
–Appointment Reminders (2024 - MUST OPT IN FOR
MENTAL HEALTH AND SUBSTANCE ABUSE)
–Fast
–Easy
–Loud background noise problems are mitigated
–Bad signal issues mitigated
–Device neutral
•Texting CAN provide great advantages in
health care
–Appointment Reminders (2024 - MUST OPT IN FOR
MENTAL HEALTH AND SUBSTANCE ABUSE)
–Fast
–Easy
–Loud background noise problems are mitigated
–Bad signal issues mitigated
–Device neutral
TEXTING Negatives in Healthcare
•Reside on device and not deleted
•Very easily accessed
•Not typically centrally monitored by IT
•Can be compromised in transmission relatively easy
•HIPAA Privacy Rule requires disclosure of PHI to
patient (i.e. text message is used to make a
judgement in patient care)
•CANNOT TEXT PATIENT ORDERS UNLESS ENCRYPTED
•Reside on device and not deleted
•Very easily accessed
•Not typically centrally monitored by IT
•Can be compromised in transmission relatively easy
•HIPAA Privacy Rule requires disclosure of PHI to
patient (i.e. text message is used to make a
judgement in patient care)
•CANNOT TEXT PATIENT ORDERS UNLESS ENCRYPTED
2020, 2021, and 2022 Violations & Fines
•The last few years of investigations and violations
confirmed many suspicions…
–Small providers had many more issues than the larger
ones
–Healthcare providers and Business Associates had more
issues than clearinghouses or plans
–HIPAA Security Rule is the biggest concern (65%)
compared to HIPAA Privacy (26%) and Breach Notification
Rule (9%)
NOTE: As it relates to “fines” the HIPAA Security Rule
brought in over 90%
•The last few years of investigations and violations
confirmed many suspicions…
–Small providers had many more issues than the larger
ones
–Healthcare providers and Business Associates had more
issues than clearinghouses or plans
–HIPAA Security Rule is the biggest concern (65%)
compared to HIPAA Privacy (26%) and Breach Notification
Rule (9%)
NOTE: As it relates to “fines” the HIPAA Security Rule
brought in over 90%
Best Course of Action
THE END
Q&A
Thank-You
Register Now
Q&A
Thank-You
Register Now
Tags
conference panel
hipaa
hipaa compliance
2024 hipaa training
hipaa for compliance officers
hipaa and compliance
brian l. tuttle
omnibus rule
updates for 2024
texting
email
encryption
medical messaging
myths and realities of hipaa
health it and compliance
hipaa risk assessment
byod
emailing of phi
texting of phi
federal audit process
Download
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 280
- Slides 20
- Age 542 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
44 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
44 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
21
Know for Certain
DaveSinNM
19 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
23 views