2024 HIPAA Regulations and Strategies for Compliance Officers

About This Presentation
Title:

2024 HIPAA Regulations and Strategies for Compliance Officers

Description:

This 90-minute lesson on 2024 HIPAA Training for the Compliance Officer is essential for practice and business managers, as well as compliance officers, aiming to get their HIPAA house in order before the upcoming audits. This comprehensive course will cover significant changes under the Omnibus Rule and other crucial updates for 2024. The primary goal is to educate participants on the myths versus reality of HIPAA laws. With so much misinformation surrounding the dos and don'ts of HIPAA compliance, Mr. Brian Tuttle, a seasoned expert with over 20 years of experience in Health IT and Compliance Consulting, aims to clarify these complexities. Drawing from over 1,000 risk assessments and extensive experience dealing with the Office of Civil Rights HIPAA auditors, Mr. Tuttle will debunk common myths and provide a clear understanding of this complex law. – PowerPoint PPT presentation

Number of Views:3
Date added: 7 June 2024
Slides: 21
Provided by: confpanel5

less

Transcript and Presenter's Notes

Title: 2024 HIPAA Regulations and Strategies for Compliance Officers


1
HIPAA Training for the Compliance Officer
Brian L. Tuttle, CPHIT, CHA, CHP, CBRA, CISSP,
CCNA, Net
2
  • The Health Insurance Portability Act of 1996
    (HIPAA)
  • Enacted by the United States Congress and signed
    by President
  • Clinton in 1996.

3
  • Bi-partisan bill also known as the
    Kennedy-Kassebaum Act named after two of its
    major sponsors
  • Senator Ted Kennedy (D) Massachusetts
  • Senator Nancy Kassebaum (R) Kansas

4
The Bush Years
  • Technical corrections to the law
  • Mandates that OCR enforce HIPAA.
  • HHS allowed the public to make comments on what
    modifications, if any, should be made to the
    Privacy Rule
  • 2003, the Privacy Rule was finalized and covered
    entity compliance was required by April 14 of
    2003.

5
The Obama Years
In 2009, President Obama signed the Health
Information Technology for Economic and Clinical
Health Act HITECH Act. Introduced as part of
the the American Recovery and Reinvestment Act,
or ARRA. The HITECH Act introduced incentives to
improve technology infrastructure and to
encourage providers to switch to electronic
health record (EHR) platforms. Breach
Notification Rule introduced, requires covered
entities and business associates to report data
breaches to OCR, and to provide notice of a
breach to individuals affected by the
breach. Enforcement Rule introduced, providing
for a tiered financial penalty system.
6
Privacy Rule
  • In general, the Privacy Rule covers protected
    health information (PHI) in all forms.
  • The Privacy Rule sets the standards spelling out
    how you should control PHI
  • More analytical based on dos and dont.s

7
Security Rule
The Security Rule only covers PHI in electronic
form. The Security Rule defines the standards
that you must implement to provide basic
safeguards to protect EPHI More abstract and
based on risk
8
Again, the HIPAA Privacy Rule vs. HIPAA Security
Rule
whats the difference?
  • HIPAA Privacy Rule - defined as the right of an
    individual to keep his/her individual health
    information from being disclosed. Privacy
    encompasses controlling who is authorized to
    access patient information and under what
    conditions patient information may be accessed,
    used and/or disclosed to a third party. The HIPAA
    Privacy Rule applies to ALL protected health
    information.
  • HIPAA Security Rule - mechanisms in place to
    protect the privacy of electronic health
    information - includes the ability to control
    access to patient information, as well as to
    safeguard patient information from unauthorized
    disclosure, alteration, loss or destruction.
    Security is typically accomplished through
    operational and technical controls. Since so much
    PHI is now stored and/or transmitted by computer
    systems, the HIPAA Security Rule was created to
    specifically address ELECTRONIC protected health
    information.

9
Business Associate (Definition)
  • 2024 will show increased enforcement on BAs
  • Business Associates (BAs) are individuals or
    entities who create, receive, maintain, or store
    private health information on behalf of a covered
    entity.
  • Example Answering Services, Medical
    Transcription, IT groups, Billing companies,
    shredding services are clearly under the auspices
    of Business Associate

10
Risks of Telemedicine (Telecommuting)
  • Telecommuting Policy Should be in Place
  • Ideally a good telecommuting program includes
    working a paperless work environment (less risks)
  • Under no circumstances should practice business
    information or participant information be
    disclosed in any way to individuals who are not
    privy to such information.

11
Telecommuting
  • Telecommuting does not replace the need for child
    or dependent care.
  • All staff members should be expected to make
    arrangements for children or dependents that
    require care to ensure that they do not interfere
    with your performance expectations and/or be
    privy to any confidential patient interactions.
  • Acceptable arrangements include an off-site day
    care or another primary caregiver in your home.
  • No one other than the employee should be allowed
    to use the practice owned computer or personally
    owned computers (if used to access, transmit, or
    store PHI)

12
HIPAA PRIVACY RULE CHANGES TO TAKE AFFECT IN 2024
  1. Changes to Right of Access
  2. Changes relating to Care Coordination and
    Information Sharing
  3. Necessity to update the Notice of Privacy
    Practices

13
Right of Access
  • Allows patients right to take notes and use
    personal resources
  • such as a smartphone to take pics of their PHI
  • Changes in Response Time for Requests timeframe
    for requests change from 30 days with optional 30
    day extension to 15 days with an optional 15 day
    extension
  • Rights to PHI in Form and Format Requested by
    Patient readily
  • producible copies of PHI (to include EPHI) must
    be provided through secure application program
    interfaces (APIs) via applications chosen by the
    individual
  • Requirement to deliver copies of PHI in any form
    and format
  • required by applicable state or other laws
  • Eased Identity Verification prohibits covered
    entities from imposing unreasonable verification
    measures such as notarized signatures or proof of
    identification in person (when other credible,
    more convenient methods are available)

14
Mitigating Steps for Theft
  • HARDWARE ENCRYPTION
  • Remote Tracking GPS tracking ability, this is
    now standard on iPHones using Find my iPhone
    function
  • Remote Disabling secondary layer of protection
    but
  • will not protect if SIM card was stolen first.
  • Remote Memory Wipe must be installed prior via
    app or function (last resort)

15
2024 Mobile Devices
  • HHS issued guidance addressing the extent to
    which PHI is protected on mobile devices.
    Although the HIPAA Privacy Rule and Security Rule
    (protecting PHI when maintained or transmitted
    electronically) provide protections for the use
    and disclosure of PHI held or maintained by
    covered entities and their business associates,
    they do not address PHI accessed through or
    stored on personal devices owned by individual
    patients.
  • Example although PHI maintained on electronic
    devices owned by a covered entity would be
    protected from disclosure by HIPAA, once a
    patient downloads that information to a personal
    device, HIPAA would no longer protect it.

16
TEXTING Positives in Healthcare
  • Texting CAN provide great advantages in health
    care
  • Appointment Reminders (2024 - MUST OPT IN FOR
    MENTAL HEALTH AND SUBSTANCE ABUSE)
  • Fast
  • Easy
  • Loud background noise problems are mitigated
  • Bad signal issues mitigated
  • Device neutral

17
TEXTING Negatives in Healthcare
  • Reside on device and not deleted
  • Very easily accessed
  • Not typically centrally monitored by IT
  • Can be compromised in transmission relatively
    easy
  • HIPAA Privacy Rule requires disclosure of PHI to
    patient (i.e. text message is used to make a
    judgement in patient care)
  • CANNOT TEXT PATIENT ORDERS UNLESS ENCRYPTED

18
2020, 2021, and 2022 Violations Fines
  • The last few years of investigations and
    violations
  • confirmed many suspicions
  • Small providers had many more issues than the
    larger
  • ones
  • Healthcare providers and Business Associates had
    more issues than clearinghouses or plans
  • HIPAA Security Rule is the biggest concern (65)
    compared to HIPAA Privacy (26) and Breach
    Notification Rule (9)
  • NOTE As it relates to fines the HIPAA Security
    Rule
  • brought in over 90

19
Best Course of Action
20
THE END
QA Thank-You
Register Now
Write a Comment
User Comments (0)