HIPAA Security for Human Resource Professionals

Overview:

This webinar will begin with an introduction to HIPAA and a review of the basics of privacy and security, including:

• Who are covered entities?
• Who are business associates?
• What is protected health information?
• What do the privacy regulations require?
• What do the security regulations require?

This webinar will address both privacy and security because security and privacy are inextricably linked. The protection of the privacy of information depends in large part on the existence of security measures to protect that information. Accordingly, a consistent, seamless approach to HIPAA privacy and security compliance is most effective.

The major focus of the webinar will be on the more recent developments under HIPAA resulting from amendments to HIPAA by the Genetic Information Nondiscrimination Act (GINA) and the HITECH Act.

Some of the highlights of HITECH's impact on HIPAA are as follows:

• Added new definitions for key privacy and security terms, including breach, electronic health record, and personal health record. HITECH also made a technical amendment to the HIPAA definition of health plan so that the term now includes Medicare Part D coverage.
• Made some of the privacy and security standards directly applicable to business associates, and business associates may now be liable for civil and criminal penalties for violations of those standards.
• Added new notification requirements that are triggered by a breach of unsecured PHI. Business associates must notify covered entities of any such breach, and covered entities that discover such a breach must notify the affected individuals as soon as is reasonably possible, but in any event no longer than 60 days after the breach is discovered. Covered entities must also give notice of such a breach to HHS and, in certain circumstances, to certain media outlets. Other organizations that are not covered entities under HIPAA, such as vendors of personal health records, are also required to notify affected individuals and the Federal Trade Commission (FTC) of such breaches.
• Added new accounting standards for disclosures of PHI by a covered entity from an electronic health record (EHR).
• Will also require HHS to issue guidance as to what is the “minimum necessary” with respect to the use, disclosure or request for PHI. Until such guidance is issued covered entities and business associates must limit their use, disclosure, or request for PHI to a limited data set or to the minimum information necessary to accomplish the intended purpose of the use, disclosure or request.
• Significantly increased the civil monetary penalties that can be assessed for violations of the privacy and security standards to as much as $50,000 per violation per standard. Criminal penalties may also apply to employees of a covered entity who obtain or disclose a covered entity's PHI, and not just to the covered entity itself. And state attorneys general are authorized to file civil actions in a federal district court against individuals who violate HIPAA's privacy and security standards.

Protected health information (PHI) is individually identifiable health information held or transmitted by a covered entity or its business associate in any form or media. GINA amended the definition of “health information” applicable under HIPAA’s privacy provisions to explicitly include genetic information.

Why should you attend :

Whether you represent a covered entity or a business associate of a covered entity, there are new rules related to HIPAA and a new emphasis on enforcement that combine to mean you should review your policies and procedures before you get hit with a large fine, or even prison. Covered entities include virtually all health care providers (doctors, pharmacists, hospitals, etc.) Health plans are also covered entities. Health plans are not just the giant insurers. Health plans are also every employer-sponsored plan, with no minimum size. Joe’s Barber Shop with just 2 employees is a health plan and the health plan needs appropriate documentation. Business associates include any individual or company that uses or discloses protected health information on behalf of a covered entity. Examples of business associate functions are almost endless and include claims processing, data analysis, utilization review, quality assurance, billing, benefit management, practice management, repricing, legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, financial services and placing insurance. Under the latest rules, each of these organizations must have HIPAA policies and procedures for both privacy and security, must appoint a privacy officer and a security officer and much more (a limited exception is available, but even that requires proper documentation). While the emphasis, to date, has been on complaint investigation, this is likely to change, given the enactment of tougher enforcement standards under the Health Information Technology for Economic and Clinical Health (HITECH) Act (including the requirement that HHS conduct periodic audits of covered entities and business associates). The HITECH Act strengthens HHS’s enforcement authority. HITECH’s penalty structure represents a significant increase in the liability of covered entities for civil monetary penalties. Under this new rule, HHS can impose up to a $50,000 penalty per violation. Additionally the HITECH Act increases the maximum penalty for all similar violations of the same HIPAA provision in a calendar year to $1,500,000.

Areas Covered in the Session

• Review of Privacy & Security Basics
• Who are Covered Entities?
• Who are Business Associates?
• What is Protected Health Information?
• What do the Privacy Regulations Require?
• What do the Security Regulations Require?
• Recent Developments
• GINA
• HITECH

Who Will Benefit:

• Vice Presidents of Human Resources
• Human Resource Managers
• Directors of Compensation and Benefits
• Benefit Managers
• Benefit Specialists
• Employee Benefits Consultants
• Group Insurance Brokers
• Employees of Insurance Companies and Third-Party Administrators