Title: 2024 HIPAA Regulations and Strategies for Compliance Officers
1HIPAA Training for the Compliance Officer
Brian L. Tuttle, CPHIT, CHA, CHP, CBRA, CISSP,
CCNA, Net
2- The Health Insurance Portability Act of 1996
(HIPAA) - Enacted by the United States Congress and signed
by President - Clinton in 1996.
3- Bi-partisan bill also known as the
Kennedy-Kassebaum Act named after two of its
major sponsors - Senator Ted Kennedy (D) Massachusetts
- Senator Nancy Kassebaum (R) Kansas
4The Bush Years
- Technical corrections to the law
- Mandates that OCR enforce HIPAA.
- HHS allowed the public to make comments on what
modifications, if any, should be made to the
Privacy Rule - 2003, the Privacy Rule was finalized and covered
entity compliance was required by April 14 of
2003.
5The Obama Years
In 2009, President Obama signed the Health
Information Technology for Economic and Clinical
Health Act HITECH Act. Introduced as part of
the the American Recovery and Reinvestment Act,
or ARRA. The HITECH Act introduced incentives to
improve technology infrastructure and to
encourage providers to switch to electronic
health record (EHR) platforms. Breach
Notification Rule introduced, requires covered
entities and business associates to report data
breaches to OCR, and to provide notice of a
breach to individuals affected by the
breach. Enforcement Rule introduced, providing
for a tiered financial penalty system.
6Privacy Rule
- In general, the Privacy Rule covers protected
health information (PHI) in all forms. - The Privacy Rule sets the standards spelling out
how you should control PHI - More analytical based on dos and dont.s
7Security Rule
The Security Rule only covers PHI in electronic
form. The Security Rule defines the standards
that you must implement to provide basic
safeguards to protect EPHI More abstract and
based on risk
8Again, the HIPAA Privacy Rule vs. HIPAA Security
Rule
whats the difference?
- HIPAA Privacy Rule - defined as the right of an
individual to keep his/her individual health
information from being disclosed. Privacy
encompasses controlling who is authorized to
access patient information and under what
conditions patient information may be accessed,
used and/or disclosed to a third party. The HIPAA
Privacy Rule applies to ALL protected health
information. - HIPAA Security Rule - mechanisms in place to
protect the privacy of electronic health
information - includes the ability to control
access to patient information, as well as to
safeguard patient information from unauthorized
disclosure, alteration, loss or destruction.
Security is typically accomplished through
operational and technical controls. Since so much
PHI is now stored and/or transmitted by computer
systems, the HIPAA Security Rule was created to
specifically address ELECTRONIC protected health
information.
9Business Associate (Definition)
- 2024 will show increased enforcement on BAs
- Business Associates (BAs) are individuals or
entities who create, receive, maintain, or store
private health information on behalf of a covered
entity. - Example Answering Services, Medical
Transcription, IT groups, Billing companies,
shredding services are clearly under the auspices
of Business Associate
10Risks of Telemedicine (Telecommuting)
- Telecommuting Policy Should be in Place
- Ideally a good telecommuting program includes
working a paperless work environment (less risks) - Under no circumstances should practice business
information or participant information be
disclosed in any way to individuals who are not
privy to such information.
11Telecommuting
- Telecommuting does not replace the need for child
or dependent care. - All staff members should be expected to make
arrangements for children or dependents that
require care to ensure that they do not interfere
with your performance expectations and/or be
privy to any confidential patient interactions. - Acceptable arrangements include an off-site day
care or another primary caregiver in your home. - No one other than the employee should be allowed
to use the practice owned computer or personally
owned computers (if used to access, transmit, or
store PHI)
12HIPAA PRIVACY RULE CHANGES TO TAKE AFFECT IN 2024
- Changes to Right of Access
- Changes relating to Care Coordination and
Information Sharing - Necessity to update the Notice of Privacy
Practices
13Right of Access
- Allows patients right to take notes and use
personal resources - such as a smartphone to take pics of their PHI
- Changes in Response Time for Requests timeframe
for requests change from 30 days with optional 30
day extension to 15 days with an optional 15 day
extension - Rights to PHI in Form and Format Requested by
Patient readily - producible copies of PHI (to include EPHI) must
be provided through secure application program
interfaces (APIs) via applications chosen by the
individual - Requirement to deliver copies of PHI in any form
and format - required by applicable state or other laws
- Eased Identity Verification prohibits covered
entities from imposing unreasonable verification
measures such as notarized signatures or proof of
identification in person (when other credible,
more convenient methods are available)
14Mitigating Steps for Theft
- HARDWARE ENCRYPTION
- Remote Tracking GPS tracking ability, this is
now standard on iPHones using Find my iPhone
function - Remote Disabling secondary layer of protection
but - will not protect if SIM card was stolen first.
- Remote Memory Wipe must be installed prior via
app or function (last resort)
152024 Mobile Devices
- HHS issued guidance addressing the extent to
which PHI is protected on mobile devices.
Although the HIPAA Privacy Rule and Security Rule
(protecting PHI when maintained or transmitted
electronically) provide protections for the use
and disclosure of PHI held or maintained by
covered entities and their business associates,
they do not address PHI accessed through or
stored on personal devices owned by individual
patients. - Example although PHI maintained on electronic
devices owned by a covered entity would be
protected from disclosure by HIPAA, once a
patient downloads that information to a personal
device, HIPAA would no longer protect it.
16TEXTING Positives in Healthcare
- Texting CAN provide great advantages in health
care - Appointment Reminders (2024 - MUST OPT IN FOR
MENTAL HEALTH AND SUBSTANCE ABUSE) - Fast
- Easy
- Loud background noise problems are mitigated
- Bad signal issues mitigated
- Device neutral
17TEXTING Negatives in Healthcare
- Reside on device and not deleted
- Very easily accessed
- Not typically centrally monitored by IT
- Can be compromised in transmission relatively
easy - HIPAA Privacy Rule requires disclosure of PHI to
patient (i.e. text message is used to make a
judgement in patient care) - CANNOT TEXT PATIENT ORDERS UNLESS ENCRYPTED
182020, 2021, and 2022 Violations Fines
- The last few years of investigations and
violations - confirmed many suspicions
- Small providers had many more issues than the
larger - ones
- Healthcare providers and Business Associates had
more issues than clearinghouses or plans - HIPAA Security Rule is the biggest concern (65)
compared to HIPAA Privacy (26) and Breach
Notification Rule (9) - NOTE As it relates to fines the HIPAA Security
Rule - brought in over 90
19Best Course of Action
20THE END
QA Thank-You
Register Now