Mary Jane McCluskey, CIA, CISA

1
HIPAA REFRESHER for York County Employees

• Presented by
• Mary Jane McCluskey, CIA, CISA
• County of York, HIPAA Coordinator

Phone x 9897
2
Navigate the HIPAA waters
SAFELY!
3
County of Yorks Commitment
NOTICE OF PRIVACY PRACTICES The County of
York, Pennsylvania serves its citizens through
many programsWe are required by law and are
committed to keeping your personal health
information private, confidential, and secure
The York County HIPAA Program will implement and
maintain a system which integrates
confidentiality, privacy and security into all
aspects of County operations, while maintaining
record-keeping and cost efficiencies on behalf of
the citizens of York County.
Customized Training for York County Employees
Created by M.J. McCluskey
4
HIPAA Refresher

• OBJECTIVES
• Who, What, When, Where and Why of HIPAA
• Lets get HIP to HIPAA
• County Policies
• Whats New?
• SECURITY module
• Case Studies

Customized Training for York County Employees
Created by M.J. McCluskey
5
HIPAA
Insurance
Portability
Health
and
Accountability
Act
Customized Training for York County Employees
Created by M.J. McCluskey
6
Accountability

• Privacy and Security
• of Health Information
• Fraud Enforcement
• Standard Transactions

Customized Training for York County Employees
Created by M.J. McCluskey
7
Accountability
As individual citizens, each of us should be
concerned with the privacy and security of our
personal health information. We should control
who is looking at it and for what reason. We
should feel confident that information we give is
protected.
Customized Training for York County Employees
Created by M.J. McCluskey
8
The What and Why of HIPAA
What is Privacy?
For most of us, privacy is a basic right. It
refers to the things we consider personal and as
our own. It is the things which we dont want
others to know or have access to without our
specific permission.
Privacy Standards
Customized Training for York County Employees
Created by M.J. McCluskey
9
The What and Why of HIPAA
What is Privacy?
Under the HIPAA regulations, privacy refers to
being able to control who looks at, uses and
shares an individuals health information.
Privacy Standards
Customized Training for York County Employees
Created by M.J. McCluskey
10
The What and Why of HIPAA
What does Security mean in HIPAA?
In HIPAA, security means assuring that the PHI in
County files is protected from loss, theft, and
unauthorized changes. It also means that PHI
will be available when its needed.
Security Standards
Customized Training for York County Employees
Created by M.J. McCluskey
11
The What and Why of HIPAA
What information must be kept PRIVATE under HIPAA?

• Health information (diagnosis, physical and
  mental health)
• Provision of care (services and treatment
  information)
• Payment for services (how payment will be made)
• Information which identifies the individual
  (name, address, SS)

Privacy Standards
Customized Training for York County Employees
Created by M.J. McCluskey
12
The What and Why of HIPAA
What information must be kept private under HIPAA
for York County departments and agencies?
Virtually all information, including case and
progress notes maintained about the client, must
be kept private. Even the fact that an individual
IS a client is private!
Privacy Standards
Customized Training for York County Employees
Created by M.J. McCluskey
13
Compliance Dates to Remember
PRIVACY in effect NOW! April 14, 2003
SECURITY coming soon! April 21, 2005
Customized Training for York County Employees
Created by M.J. McCluskey
14
The What and Why of HIPAA
Who must comply with the HIPAA regulations? Under
the HIPAA Accountability rules, organizations,
those they contract with for services, AND
employees that create, maintain, or transfer
health information are required to comply with
privacy and security standards.
Customized Training for York County Employees
Created by M.J. McCluskey
15
Why is HIPAA Training Mandatory for County
Employees? What was once an ethical
responsibility to protect client information is
now a FEDERAL LAW - with consequences!
Customized Training for York County Employees
Created by M.J. McCluskey
16

• PENALTIES
• Fines from 100 - 250,000
• Jail from 1 10 years

• Note Individual employees can be held liable!

Customized Training for York County Employees
Created by M.J. McCluskey
17
Let's Get
HIP
to
HIPAA
Customized Training for York County Employees
Created by M.J. McCluskey
18
What's New?
Customized Training for York County Employees
Created by M.J. McCluskey
19
What's New?
Human Services Information Release Form
Customized Training for York County Employees
Created by M.J. McCluskey
20
What's New?
Business Associate Agreement
with Security elements
Customized Training for York County Employees
Created by M.J. McCluskey
21
Over 6,550 complaints received (through May
2004) Approximately half resolved without
formal enforcement
Customized Training for York County Employees
Created by M.J. McCluskey
22
In August 2004
Customized Training for York County Employees
Created by M.J. McCluskey
23
Seattle Man Pleads GUILTY
in First Ever Criminal Conviction
for HIPAA Rules Violation
Customized Training for York County Employees
Created by M.J. McCluskey
24

• TOP 5 CATEGORIES OF COMPLAINTS
• Impermissible use or disclosure of PHI
• Lack of adequate safeguards
• Failure to provide access to PHI
• Disclosure exceeds minimum necessary
• Failure to provide NPP

25
TOP 5 COVERED ENTITIES

• Private Health Care Provider
• General hospitals
• Pharmacies
• Outpatient Facilities
• Group Health Plans

Customized Training for York County Employees
Created by M.J. McCluskey
26

• Fact Sheets for Consumers

• New FAQs Disclosures to Law Enforcement
• Relationship of HIPAA to state public records laws

http//www.hhs.gov/ocr/hipaa
Customized Training for York County Employees
Created by M.J. McCluskey
27
What does HIPAA mean to me and to my clients?
Customized Training for York County Employees
Created by M.J. McCluskey
28
What does HIPAA mean to me and to my clients?
NOTICE OF PRIVACY PRACTICES for Personal Health
Information
Let's review
Customized Training for York County Employees
Created by M.J. McCluskey
29
What does HIPAA mean to me and to my clients?

• When can PHI be shared?
• Treatment clinic, RTF, psychologist
• Payment billing for services
• Operations quality assurance, audit

Customized Training for York County Employees
Created by M.J. McCluskey
30
What does HIPAA mean to me and to my clients?

• How much information can be shared?
• Treatment all information to ensure
  comprehensive treatment
• Payment and operations minimum necessary

Customized Training for York County Employees
Created by M.J. McCluskey
31
What does HIPAA mean to me and to my clients?

• Under what other circumstances can information be
  shared?
• Required or permitted uses and disclosures
  without a clients written permission

Customized Training for York County Employees
Created by M.J. McCluskey
32
What does HIPAA mean to me and to my clients?

• Individual rights
• Right to access and copy
• Right to amend
• Right to limit disclosure
• Right to revoke
• Right to alternate communications
• Right to accounting of disclosure

Customized Training for York County Employees
Created by M.J. McCluskey
33
What does HIPAA mean to me and to my clients?

• Filing a complaint
• Complaints may be filed with the Countys
  Privacy Officer
• OR
• Complaints may be filed with OCR

Customized Training for York County Employees
Created by M.J. McCluskey
34
Who is the Countys Privacy Officer?
The Countys Privacy Officer is the Office of
the Chief Clerk/Administrator Chuck Noll
Customized Training for York County Employees
Created by M.J. McCluskey
35
What does HIPAA mean to me and to my clients?

• Who can file a complaint?
• Consumer
• Someone on behalf of consumer
• Employee
• Organization

Customized Training for York County Employees
Created by M.J. McCluskey
36
County Policies
Customized Training for York County Employees
Created by M.J. McCluskey
37
Security
Compliance Date April 21, 2005 York County must
be in full compliance by this date!
Customized Training for York County Employees
Created by M.J. McCluskey
38
Security
New Term e-PHI Refers to all individual health
information created, maintained or transmitted
electronically including through email!
Customized Training for York County Employees
Created by M.J. McCluskey
39
Security Requirements
What has York County done? REMEMBER Changes will
continue!
Customized Training for York County Employees
Created by M.J. McCluskey
40
Security Requirements
Risk Analysis/Risk Management
Vulnerability and risk assessment performed by
BackboneSecurity.com Findings report received and
actions taken.
Customized Training for York County Employees
Created by M.J. McCluskey
41
Security Requirements
Assigned Security Responsibility
Security Officer is Assistant Director
Information Services - Greg McCoy
Customized Training for York County Employees
Created by M.J. McCluskey
42
Security Requirements
Security Policies and Procedures
Policies and procedures developed to document the
County of Yorks security measures, including
sanction policies for those who do not comply.
Customized Training for York County Employees
Created by M.J. McCluskey
43
Security Requirements
Information System Activity Review
All computer systems are owned and maintained by
the County, AND are monitored for activity.
Customized Training for York County Employees
Created by M.J. McCluskey
44
Security Requirements
Information System Activity Review
Employees can have no expectation of privacy for
computer usage. If there is evidence of
unauthorized use, appropriate sanctions will be
imposed.
Customized Training for York County Employees
Created by M.J. McCluskey
45
Security Requirements
Maintenance Log
York County keeps a record of all maintenance
done to systems. One way this is accomplished is
by logging your calls to the Help Desk.
Customized Training for York County Employees
Created by M.J. McCluskey
46
Security
Access Authorization
Organizations must determine who is able to
access e-PHI and at what level. Access means read
only, write, modify.
Customized Training for York County Employees
Created by M.J. McCluskey
47
Security
Access Authorization
Supervisors determine employee level of access to
County systems based on job responsibilities.
Customized Training for York County Employees
Created by M.J. McCluskey
48
Security
Access Authorization
Employees must agree to abide by County security
procedures before gaining access to the system
and their files!
Customized Training for York County Employees
Created by M.J. McCluskey
49
(No Transcript)
50
Security Requirements
Security Awareness Training
All employees are made aware of the Countys
security procedures. Security Training has been
added to HIPAA courses.
Customized Training for York County Employees
Created by M.J. McCluskey
51
Security Requirements
Protection from Malicious Software
The County has an extensive virus protection
system, which is updated nightly.
Customized Training for York County Employees
Created by M.J. McCluskey
52
Security Requirements
Protection from Malicious Software
The County conducts virus scans regularly. Surf
control blocks access to specific sites.
Customized Training for York County Employees
Created by M.J. McCluskey
53
Security Requirements
e-PHI in Email
It is very easy to violate HIPAA requirements
through transmission of PHI in email. The County
is evaluating encryption tools that can be used.
Customized Training for York County Employees
Created by M.J. McCluskey
54
Security Requirements
Physical Safeguards
Computers now have a time-out feature. Employees
should lock the keyboard when they leave their
workstation, but if they dont the system will
time out.
Customized Training for York County Employees
Created by M.J. McCluskey
55
Security Requirements
Physical Safeguards
All computer rooms are locked and controlled.
Some are visually monitored such as at the
Judicial Center.
Customized Training for York County Employees
Created by M.J. McCluskey
56
Security Requirements
Retiring/Reusing Equipment
When equipment is outdated and/or no longer
needed, IS takes back the hardware and removes
all data from the hard drive before disposal.
Customized Training for York County Employees
Created by M.J. McCluskey
57
Security Requirements
Security Incidents
All security incidents must be reported to the
Security Officer.
Customized Training for York County Employees
Created by M.J. McCluskey
58
Security Requirements
Security Incidents

• Examples of security incidents
• Theft of laptop or PC
• Breach of password
• Unauthorized access of your files
• Corruption of files

Customized Training for York County Employees
Created by M.J. McCluskey
59
Security Requirements
Reporting of Security Incidents

• Report incidents to Security Officer by phone or
  email.
• Reports handled confidentially.
• No retaliation for reporting.
• Report any loss of equipment to immediate
  supervisor also.

Customized Training for York County Employees
Created by M.J. McCluskey
60
Security
Password Management
Each user has a unique sign on, and a password
with a defined number of characters, both alpha
and numeric.
Customized Training for York County Employees
Created by M.J. McCluskey
61
Security
Password Management
Password change procedures are being evaluated.
Customized Training for York County Employees
Created by M.J. McCluskey
62
Security Requirements
Emergency Preparedness Disaster Plan
The County is developing plans and documenting
procedures to continue operations in the event of
an emergency or a disaster.
Customized Training for York County Employees
Created by M.J. McCluskey
63
Security Requirements
Emergency Preparedness Disaster Plan

• Steps that the County is taking to prepare for
  possible emergencies include
• Data backed up and stored off-site nightly
• Data is replicated over multiple servers at
  multiple locations

Customized Training for York County Employees
Created by M.J. McCluskey
64
For security of your Laptop!
TIPS

• Keep IDs and PWs separate from laptop (like
  Travelers Checks)
• Keep CDs or diskettes separate
• Physically secure your laptop when traveling
  password protect, lock in trunk, etc.
• When in a public area, do not leave laptop
  unattended or where others can see the screen

Customized Training for York County Employees
Created by M.J. McCluskey
65
For security when working outside the office
TIPS

• County confidentiality and security rules still
  apply!
• Dont allow others to use your computer YOU
  are responsible for what is done on your computer
• Be aware of others who could view your files

Customized Training for York County Employees
Created by M.J. McCluskey
66
Case Studies
Customized Training for York County Employees
Created by M.J. McCluskey
67
THANK YOU!
Mary Jane McCluskey x 9897