HIPAA Compliance for Mental Health Practices
Explore the importance of HIPAA compliance in mental health practices, including safeguarding patient information, exceptions to HIPAA regulations, and consequences of breaches. Learn how to prioritize patient welfare while adhering to legal requirements and protecting sensitive data.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
HIPAA Compliance for Mental Health Practices Mark Norby, CHP, & Cassidy Lach, MA, LPC
First, Do No Harm. Auguste Fran ois Chomel (1788 1858) Parisian pathologist and clinician
Why do we care Possible Negative Consequences of mental health breach to the patient
HIPAA red tape should never stand in the way of disclosures that are necessary for the welfare of the patient or the general public s health and safety.
Exceptions to HIPAA The Privacy Rule permits a health care provider to disclose necessary information about a patient to law enforcement, family members of the patient, or other persons, when the provider believes the patient presents a serious and imminent threat to self or others.
Exceptions, Cont. The Privacy Rule permits a HIPAA covered entity, such as a hospital, to disclose certain protected health information, including the date and time of admission and discharge, in response to a law enforcement official s request, for the purpose of locating or identifying a suspect, fugitive, material witness, or missing person. See 45 CFR 164.512(f)(2). http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/mhguidance.html
Exceptions, cont. Where a patient is not present or is incapacitated, a health care provider may share the patient s information with family, friends, or others involved in the patient s care or payment for care, as long as the health care provider determines, based on professional judgment, that doing so is in the best interests of the patient.
Healthcare Under Attack Now healthcare is a considered a top target. The speed of these attacks and the volume with which they're occurring is increasing significantly. It just requires a much more robust response across the U.S. government and private sector. Major intrusions into healthcare providers' computer systems now are happening at the pace of two or three a day. -- Jim Trainor, deputy assistant director, FBI Cyber Division April, 2015 http://searchhealthit.techtarget.com/news/4500246657/Federal- authorities-on-to-healthcare-cybercrime
OCR Director Jocelyn Samuels indicated that OCR will continue to focus on high impact breaches that demonstrate systemic deficiencies to send a message to organizations that fail to conduct risk analysis, ignore known threats or have insufficient workforce training. That s a warning that the practice of imposing large fines and resolution agreements on organizations OCR believes have disregarded HIPAA rules will continue. Health Data Management magazine (Feb. 2015) 9
Examples of Privacy Breaches Talking in public areas, talking too loudly, talking to the wrong person Lost/stolen or improperly disposed of paper, mail, films, notebooks Lost/stolen laptops, tablets, smart phones, media devices (video and audio recordings) Lost/stolen tapes, disks, CDs, flash drives, memory drives, SD cards Hacking of unprotected computer systems Snail mail, email or faxes sent to the wrong address, wrong person, or wrong number User not logging off of computer systems, allowing others to access their computer or system
Violations Due to Willful Neglect Violations resulting from willful neglect, defined to mean the conscious, intentional failure or reckless indifference to the obligation to comply with the regulations, will trigger the highest levels of penalties. Penalties arising from willful neglect cannot be waived.
Penalty Per violationAnnual Cap on penalty for all identical violations Can penalty be waived by OCR? Violation Category Did Not Know $100-50,000 $1.5 million Yes Reasonable Cause $1,000-50,000 $1.5 million Yes Willful Neglect, Promptly Corrected $10,000-50,000 $1.5 million No Willful Neglect, Not Corrected $50,000 $1.5 million No
Copier hard drives ~ $1.2M PHI accessible over internet ~ $1.7M Senior leaders leak PHI to press ~ $275k Firewall protection disabled for 10 months ~ $400k Unencrypted stolen laptop with PHI of 441 patients ~ $50k Unencrypted stolen laptop with PHI of 3,621 patients ~ $1.5M Stolen USB hard drive ~ $1.7M Appointment calendar on the internet ~ $100k 57 unencrypted hard drives stolen ~ $1.5M Staff looking at celebrity records ~ $865k Lost paper documents ~ $1M Failure to provide copies of medical records to patients ~ $4.3M Illegal use of PHI for marketing ~ $35k Inappropriate disposal of pill bottles ~ $1M and $2.25M Loss of unencrypted backup media and laptops ~ $100k 13
If we have a breach.. Inform all patients involved Inform the Dept. of Health and Human Services Implement corrections within 30 days If more than 500 patients from one state are involved: Conduct a media campaign Have name added to the HHS website Wait for the audits and the fines 14
ubiquitous Building Your HIPAA Compliance Program
Mark Norby, CHP WCA Regional Training Center 15 Years of IT experience 8 Years as the CIO of the Community Health Center of Central Wyoming and University of Wyoming Family Medicine Residency Program 6 Years as a HIPAA Compliance Officer 3 Years as a HIPAA Compliance Consultant Provided help to more than 100 hospitals and clinics throughout Wyoming and Montana
Disclaimers The presenter is not an attorney and does not give legal advice There are many different interpretations of HIPAA regulations Materials referenced are meant to serve as examples and may not be suitable for every organization 17
The Power to Heal; an Obligation to Protect
Privacy and Security Starts at the Top Designate a Privacy and Security Officer Make sure that each has a job description Select a qualified professional to assist you with the Security Risk Analysis Promote a culture of protecting patient privacy
Document Your Process, Findings, and Actions Records will be essential if you are audited Good faith effort can be the difference between a CAP and a fine Maintain records for six years
Examples of Documentation to Keep Completed checklists Security Risk Analysis Report(s) Risk Management Action Plan Business Associate Agreements Trainings for staff System monitoring results Policies and Procedures Meeting minutes
Conduct a Security Risk Analysis An ongoing process to identify risks to CIA It s the first step towards Security Rule compliance NOT optional regardless of size A checklist will not suffice Health & Human Services recommends a nine step process as outlined in NIST SP800-66 Consistently review/update and keep documentation Soak up the education!
Develop an Action Plan (Risk Management Plan) Use Security Risk Analysis to identify threats and vulnerabilities Focus on high priorities and low hanging fruit Identify what needs to be done Who is going to do it When will it be done The plan must include the following five components:
1) Physical Safeguards Facility security ~ Is the server room locked, who has keys to the building? Workstation and office security ~ Are passwords written on a sticky note, do workstations auto log-off? Protecting portable devices ~ Encryptions, auto log-off,
2) Administrative Safeguards Designated security officer Workforce training and oversight Controlling information access Periodic security reassessment
3) Technical Safeguards Controls on access to EHR and other software Use of audit logs to monitor activities Secure exchanges of electronic data
4) Policies and Procedures Establish protocols for administrative, physical, and technical safeguards Specify individual patient rights Documented incident response plans Processes for breach notification and sanctions
4) Policies and Procedures (contd) Train staff on policies and procedures Consistently apply policies and procedures Periodically review and update P&P s Retain old P&P s for six years after they have been updated or replaced
5) Organizational Requirements Breach notification and associated policies, are they in place and have staff been trained Business associate agreements, are they in place and is the BA aware of their responsibilities
Business Associates Responsibilities are very similar to those of a Covered Entity (CE) CE is responsible for obtaining a Business Associate agreement obligating the BA to safeguard PHI Breach notification requirements must be met CE must respond to non-compliance
Prevent with Education and Training Build your policies and procedures and train, train, train. Including employees, volunteers, trainees and contractors Keep copies of your P&P s easy to find Formally educate and train your workforce at least once a year or when changes happen
Periodic Tasks to Consider HIPAA Refresher Training ~ at least annually Review of access rights ~ annually Re-sign Confidentiality Agreements ~ annually IT inventory ~ annually Facility Walkthrough Inspection ~ annually
Periodic Tasks to Consider Assess firewall, router, anti-virus settings for optimum security Annual report to HHS
On behalf of Cassidy Lach, LPC, M.A. and the WCA Regional Training Center Thank You! Mark Norby, Certified HIPAA Professional Instructor/HIPAA Consultant Office: 307.237.4400 ext. 31 Cell: 307.258.5322 mnorby@wyomingcontractors.org
