Hurricane Harvey HIPAA Reminder

Disasters, which can ultimately lead to a data breach, come in various forms – natural, man-made and technical. HIPAA, the HITECH Act, the Federal Trade Commission and the Securities and Exchange Commission are just a handful of entities requiring that the confidentiality, integrity and availability of the sensitive information (e.g., protected health information (PHI) and personally identifiable information (PII)) remain intact. Although federal HIPAA has distinct categories (e.g., covered entity, business associate, and subcontractor), other state or federal government entities use “covered entity” to mean any person that creates, receives, maintains or transmits PHI or PII.

HIPAA sets forth three main categories of safeguards: administrative, physical, and technical safeguards. Often times, these categories overlap. For example, the administrative requirement of a sanction policy compliments the physical requirement of two-factor identification for building access.

Below are a couple of select sections from the Code of Federal Regulations (CFR), which organizations should be particularly vigilant about in relation to disasters.

•45 CFR §164.310 (Physical) – requires that policies and procedures for facility access in order to restore lost data under the disaster recovery and emergency access plan.

•45 CFR §164.308 (Administrative Safeguards) – multiple requirements are set forth under this particular section of the CFR. For example:

•Security management process

•Annual risk analysis

•Information activity review

•Workforce clearance procedure

•Security awareness training

•Contingency plan

 

Read More: http://snip.ly/duepz#http://www.diagnosticimaging.com/blog/hurricane-harvey-hipaa-reminder

Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research.

The Value and Importance of Health Information Privacy

Ethical health research and privacy protections both provide valuable benefits to society. Health research is vital to improving human health and health care. Protecting patients involved in research from harm and preserving their rights is essential to ethical research. The primary justification for protecting personal privacy is to protect the interests of individuals. In contrast, the primary justification for collecting personally identifiable health information for health research is to benefit society. But it is important to stress that privacy also has value at the societal level, because it permits complex activities, including research and public health activities to be carried out in ways that protect individuals’ dignity. At the same time, health research can benefit individuals, for example, when it facilitates access to new therapies, improved diagnostics, and more effective ways to prevent illness and deliver care.

The intent of this chapter1 is to define privacy and to delineate its importance to individuals and society as a whole. The value and importance of health research will be addressed in Chapter 3.

CONCEPTS AND VALUE OF PRIVACY

Definitions

Privacy has deep historical roots (reviewed by Pritts, 2008Westin, 1967), but because of its complexity, privacy has proven difficult to define and has been the subject of extensive, and often heated, debate by philosophers, sociologists, and legal scholars. The term “privacy” is used frequently, yet there is no universally accepted definition of the term, and confusion persists over the meaning, value, and scope of the concept of privacy. At its core, privacy is experienced on a personal level and often means different things to different people (reviewed by Lowrance, 1997Pritts, 2008). In modern society, the term is used to denote different, but overlapping, concepts such as the right to bodily integrity or to be free from intrusive searches or surveillance. The concept of privacy is also context specific, and acquires a different meaning depending on the stated reasons for the information being gathered, the intentions of the parties involved, as well as the politics, convention and cultural expectations (Nissenbaum, 2004NRC, 2007b).

Our report, and the Privacy Rule itself, are concerned with health informational privacy. In the context of personal information, concepts of privacy are closely intertwined with those of confidentiality and security. However, although privacy is often used interchangeably with the terms “confidentiality” and “security,” they have distinct meanings.Privacy addresses the question of who has access to personal information and under what conditions. Privacy is concerned with the collection, storage, and use of personal information, and examines whether data can be collected in the first place, as well as the justifications, if any, under which data collected for one purpose can be used for another (secondary)2 purpose. An important issue in privacy analysis is whether the individual has authorized particular uses of his or her personal information (Westin, 1967).

Confidentiality safeguards information that is gathered in the context of an intimate relationship. It addresses the issue of how to keep information exchanged in that relationship from being disclosed to third parties (Westin, 1976). Confidentiality, for example, prevents physicians from disclosing information shared with them by a patient in the course of a physician–patient relationship. Unauthorized or inadvertent disclosures of data gained as part of an intimate relationship are breaches of confidentiality (Gostin and Hodge, 2002NBAC, 2001).

 

Read More: http://snip.ly/tlhw0#https://www.ncbi.nlm.nih.gov/books/NBK9579/

 

HIPAA compliance expectations from Small Healthcare Providers

For The Health Information Portability and Accountability Act (HIPAA), the Business Associate is a major component. According to HIPAA, a Business Associate (BA) is an organization or a person who works with or provides service to a Covered Entity. A CE is one who handles or discloses Protected Health Information (PHI). This makes a Business Associate any person or entity that is involved in creating, receiving, maintaining or transmitting PHI to a CE for a purpose or activity or function as mandated and regulated by the HIPAA Privacy Rule.

Small businesses struggle with meeting HIPAA requirements

There are specific requirements that small healthcare practices need to put in place and to show that their program is current and meets the regulatory requirements set out in HIPAA. They need to conceive and implement a HIPAA compliance program that meets the requirements set out in this legislation. The compliance program should not only be adequate; it should be robust and resilient enough to withstand HIPAA’s strict scrutiny at various levels.

Helping small healthcare providers with the knowledge and skill needed for meeting HIPAA requirements is the purpose of a two-day seminar that is being organized by GlobalCompliancePanel, a leading provider of professional trainings for all the areas of regulatory compliance. At this seminar, Jay Hodes, who is a leading expert in HIPAA compliance and President of Colington Consulting, which provides HIPAA consulting services for healthcare providers and Business Associates, will be the Director.

Want to get a complete understanding of the requirements that small healthcare providers need to meet to comply with HIPAA requirements? Just register for this learning session by visiting HIPAA compliance expectations from Small Healthcare Providers.

Full explanation of what all a small business provider needs to do

This seminar is particularly created for small healthcare providers who have a difficulty in understanding the HIPAA compliance requirements and meeting them. It will be useful for those of various business sizes, but is primarily focused on the small healthcare provider. Jay will impart the kind of teaching with which organizations will be able to meet all of the HIPAA, HITECH, and Omnibus Rules.

The basis to implementing the requirements of compliance program is to first fully understand them. This is the learning that this seminar will offer. At the end of two days of intense learning that will be interspersed with lively presentations; participants will have inculcated a full grasp of all of the requirements for a comprehensive HIPAA compliance program. They will also have got a clear understanding of the kind of steps that they need to take to mitigate risk.

Steps needed to develop, review and amend HIPAA

The Director will include practical exercises over these two days that will help participants know all that is needed for developing, reviewing, and amending HIPAA policy and procedure. He will equip the participants with a clear roadmap for what needs to be place when it comes to all of the HIPAA regulations.

Over the two days, Jay will cover the following areas:

o  Why was HIPAA created?

o  Who Must Comply with HIPAA Requirements?

o  What are the HIPAA Security and Privacy Rules?

o  What are the Consequences of being a Business Associate

o  What is a HIPAA Compliance Program for a Business Associate?

o  What is a HIPAA Risk Management Plan?

o  What is a HIPAA Risk Assessment?

o  What is the Role of the HIPAA Security Official?

o  What are HIPAA training requirements?

o  What is a HIPAA data breach and what happens if it occurs?

o  What are the penalties and fines for non-compliance and how to avoid them

o  Case Examples of HIPAA Data Breaches

o  Creating a Culture of Compliance

o  Q&A.