efolder partner chat webinar — hipaa policies and best practices from a partner
TRANSCRIPT
© 2015 eFolder, Inc. All Rights Reserved.1
The Cost for Non-Compliance
Massachusetts provider settles HIPAA case - lost laptop$1.5M
Alaska DHSS settles HIPAA security case - lost hard drive $1.7M
$150KResolution Agreement with Adult & Pediatric Dermatology, P.C. of Massachusetts - lost flash drive
HHS.gov/ocr/privacy/hipaa/enforcement/examples/index.html
HIPAA Policies and Best Practicesfrom a Partner
Carmen YuMarketing Coordinator, [email protected]
© 2015 eFolder, Inc. All Rights Reserved.3
Agenda
• Partner Introduction• What is HIPAA?• Why Must MSPs Comply?• Administrative, Physical, and Technical
Safeguards• Business Associates Agreement (BAA)• How to Work Towards Compliance• Questions and Discussion
© 2015 eFolder, Inc. All Rights Reserved.4
Partner Introduction
dmi Networking
© 2015 eFolder, Inc. All Rights Reserved.5
Clients in San Francisco Bay Area and Southern California
Founded in 2010
120 dental managed service clients that must comply with HIPAA
8 employees
Provides risk assessment and HIPAA consultation services
© 2015 eFolder, Inc. All Rights Reserved.6
What is HIPAA?
• Health Insurance Portability and Accountability Act (1996)
• Reduces health care fraud and abuse
• Mandates industry-wide standards for health care, especially patient information
• Requires the protection and confidential handling of protected health information
COMPLY & SURVIVE
© 2015 eFolder, Inc. All Rights Reserved.7
What is HIPAA?
• Privacy Rule: – Mandates in which situations and with whom
protected health information (PHI) can be shared.
• Security Rule:– Defines standards for protecting the
confidentiality, integrity, and availability of electronic PHI (ePHI)
8 © 2015 eFolder, Inc. All Rights Reserved.
The Cost for Non-Compliance
$50K
$1.5mMaximum penalty per
violationMaximum penalty per
year
© 2015 eFolder, Inc. All Rights Reserved.9
The Cost for Non-Compliance
Massachusetts provider settles HIPAA case - lost laptop$1.5M
Alaska DHSS settles HIPAA security case - lost hard drive $1.7M
$150KResolution Agreement with Adult & Pediatric Dermatology, P.C. of Massachusetts - lost flash drive
HHS.gov/ocr/privacy/hipaa/enforcement/examples/index.html
© 2015 eFolder, Inc. All Rights Reserved.10
Why Must MSPs Comply?
• September 2013: HIPAA Omnibus Rule– Expanded HIPAA so that business associates
(BA) of covered entities are required to comply
• Business Associate:– Business associates are entities who support
covered entities by performing duties that involve the usage, storage, or transmission of protected health information (PHI)
© 2015 eFolder, Inc. All Rights Reserved.11
Questions for Dan
• When did you decide to become HIPAA compliant?
• How far do you go to help your clients become HIPAA compliant?
• Have you ever sought outside help to become HIPAA compliant?
Partner Chat: How to Comply with HIPAA
© 2015 eFolder, Inc. All Rights Reserved.13
Administrative Safeguards
• Policies and procedures created in the business of an MSP that define how the business will comply with the act
Partner Discussion:What administrative safeguards has dmi Networking implemented?
© 2015 eFolder, Inc. All Rights Reserved.14
Physical Safeguards
• Standards to control physical access to protected health information (PHI)
Partner Discussion:What physical safeguards has dmi Networking implemented?
© 2015 eFolder, Inc. All Rights Reserved.15
Technical Safeguards
• Standards to control access to computer systems in order to maintain the security of ePHI
• Documented risk analysis
Partner Discussion:What technical safeguards has dmi Networking implemented?
© 2015 eFolder, Inc. All Rights Reserved.16
Business Associates Agreement (BAA)
• A contract stating that a business associate will appropriately safeguard PHI
© 2015 eFolder, Inc. All Rights Reserved.17
BAA – Partner Discussion
• Do you sign BAAs with all your clients?
• Who originates the contract?
• Do you have a general template?
• What terms are addressed in the BAA?
© 2015 eFolder, Inc. All Rights Reserved.18
More Questions for Dan
• How do you make sure that employees are trained on HIPAA?
• How do you detect non-compliance in your business?
• Are there any compliance best practices that you didn’t previously consider but learned over time?
© 2015 eFolder, Inc. All Rights Reserved.19
Your Clients’ Compliance
MSPs can still do business with a client even if they are non-compliant
Partner Discussion:• What are common non-compliant solutions that
you see clients using?
• How do you deal with client resistance when trying to move them to a HIPAA-compliant solution?
© 2015 eFolder, Inc. All Rights Reserved.20
Working Towards Compliance
1. Get a consultation from an expert
2. Identify risks
3. Come up with a roadmap for adjustments
4.Perform a yearly risk assessment!
21 © 2015 eFolder, Inc. All Rights Reserved.
• eFolder will sign Business Associate Agreements
• eFolder has completed a proper HIPAA Risk Analysis conducted by experienced professionals
• eFolder has written HIPAA-specific policies and procedures
• eFolder has trained its workforce to comply with HIPAA
• eFolder has retained HIPAA professionals to maintain compliance over time
• eFolder will provide you with a letter attesting to our HIPAA compliance to take to your clients
eFolder and HIPAA
Questions and Discussion
Thank you!
Carmen YuMarketing Coordinator, [email protected]