HIPAA- Facility Policies
Which of the following serves as an analogy for a set of policies?
The US Constitution
Policy Excerpt: The Security Policy of Surgical Associates requires:
-All activities within the practice will comply with HIPAA and state laws -All systems will be protected against malicious software using the latest technology, including current subscriptions and automatic updates -No one may access protected health information unless specifically for the purposes of treatment, payment, or operations -No electronic protected health information may be stored or transmitted unless encrypted -No patient data may be sent offsite for any reason without specific authorization of the Practice Manager or an owner -All data breaches must be reported immediately to the Practice Manager or an owner -Any violation of this policy, HIPAA, or state laws may result in disciplinary action, including termination. Criminal violations will be referred to the proper law enforcement agency
Procedure Excerpt: To comply with HIPAA (CFR 164.308(a)(5)), Surgical Associates will implement XYZ Endpoint Protection on all servers, desktop, and laptop computers. This software will be configured to:
-Perform automatic updates to each desktop and laptop computer -Manual updates for servers, which shall be completed no later than 3 business days after the update is released -Block users from removing or disabling the endpoint protection software
In addition to protecting health information, a healthcare organization may also have to protect:
-Personal financial information collected to provide financial aid -Credit card numbers -Data sent offsite
How much information may be used, requested, or shared?
-When deciding what or how much information to share, remember the minimum necessary rule. The Privacy Rule requires that covered entities take reasonable steps to limit the use or disclosure of information to only that which is needed to accomplish the goal of the request. -The covered entity is responsible for determining the minimum amount of information needed to fulfill a particular purpose.
How to Comply with Multiple Regulations The following steps provide a general strategy for complying with multiple regulations.
1)Identify the regulations that apply to your organization. This information may be available in easily digestible form through industry associations, professional organizations, chambers of commerce, or other bodies. 2)Review the regulations. You may need to involve a consultant or attorney. 3)Determine whether particular regulations are general or granular. For example, HIPAA requires that users use unique passwords but offers little other guidance. By contrast, PCI DSS requires passwords to be seven characters and include letters and numbers. 4)Develop and implement policies and procedures to comply with the stricter requirement, which will necessarily satisfy the more general requirement too. For example, by requiring passwords that comply with PCI DSS, you will also comply with HIPAA. 5)Document your policies and procedures. 6)Map your policies and procedures to all of the compliance regulations that apply to you.
What/Who is a covered entity?
A covered entity is a provider that must comply with HIPAA regulations. A provider may be a health plan, such as Medicare, Medicaid, or Blue Cross; a healthcare provider, which would include any hospital, doctor's office, or pharmacy; or a clearinghouse.
What is the "minimum necessary" standard?
A covered entity must limit the amount of PHI to meet a legitimate purpose. This requirement does not apply for treatment purposes, when requesting information form another provider, or when releasing information to the patient or to someone the patient has authorized.
What information is protected by HIPAA?
All medical records and other individually identifiable health information used or disclosed by a covered entity in any form, whether electronically, on paper, or orally, are covered by the final rule
What is encryption?
Encryption is the conversion of a message of regular text into encoded text. The text is encrypted by means of an algorithm (type of formula). If information is encrypted, there is a low probability that anyone other than the receiving party who has the key to the code would be able to decrypt (translate) the text and convert it into plain, comprehensible text.
Can I be penalized (e.g., jail time or fines) for a HIPAA breach?
Usually the provider is responsible for any breaches within their facility; however, if you purposely or knowingly disclose individually identifiable health information you are committing a criminal violation and can be prosecuted by the U.S. Department of Justice.
Does HIPAA allow healthcare providers to share patient health information for treatment purposes without the patient's authorization?
Yes. Doctors, nurses, hospitals, laboratory technicians and other covered entities can share and discuss a patient's medical information for treatment purposes without the patient's authorization. Information may be shared when consulting with other providers and when referring patients because it is done for treatment purposes.
A policy is best described how?
a written rule
Which of the following aims does an awareness program help to meet? -remind employees about policies and procedures -remind employees of the need to comply with federal, state, and organizational requirements -remind employees of the sanctions they will face for non-compliance -all the above
all the above
The Gramm-Leach-Bliley Act (GLBA)
equires financial institutions to protect identifiable financial data, including names, addresses, and phone numbers; bank and credit card account numbers; income and credit histories; and Social Security Numbers.
Sarbanes-Oxley Act (SOX)
established new requirements and standards of accountability for boards, executives, and financial officers. The law was enacted after several high-profile corporate and accounting scandals, including those at Enron and WorldCom. SOX made board members and executives criminally responsible for a publicly traded company's failure to adhere to financial disclosure standards.
About _____ of HIPAA regulations address policies and procedures.
half
The Payment Card Industry Data Security Standard (PCI DSS)
is a compliance program managed by the credit card companies. It applies to all companies that accept, acquire, transmit, process, or store payment card information. All businesses that accept credit cards must comply, including covered entities and business associates. There are 12 compliance requirements, with procedures of various complexity based on the number of credit card transactions the organization processes. Failure to comply may result in penalties that can include ending the organization's authority to process credit cards, which could be devastating for many businesses.
Policies
rules
Procedures
steps needed to implement those rules
Training should be repeated and documented every _____, at a minimum.
year