HIPAA Webinar Recap

Did you happen to miss our HIPAA, HITECH, BAAs and the Law: Concerns and Best Practices Webinar last Tuesday? No worries, we have the slideshow, video and transcript up on our site, as well as our guest speaker Tatiana Melnik’s contact information if you have any unanswered HIPAA questions. Tatiana also provided numerous external links to sample HIPAA policies, procedures and training from major universities and medical centers for organizations seeking HIPAA compliance resources.

HIPAA, HITECH, BAAs and the Law: Concerns and Best Practices

This webinar discusses the legal implications of HIPAA, HITECH, and BAAs and their impact on IT Infrastructure and those who support it. Moderated by April Sage, Marketing Director of Online Tech, with special guest speaker Tatiana Melnik of Dickinson Wright law firm.

Some of the major takeaway points:

1. Know the requirements, as well as the extent that your company needs to be HIPAA compliant.
2. Have a contract in place that sets certain parameters beforehand, including number of days to report a breach.
3. According to HIPAA, you must have a risk analysis, implement policies and procedures, and you have to train your employees.
4. While there is insurance available for HIPAA-related issues, there is no insurance that will cover you for a willful violation (knowingly breaking HIPAA law or committing criminal acts) against respective government fines or punishment.

Things you should never do:

1. Commit a breach – and it’s important to be prepared and have a plan ready in case a breach does occur.
2. Never write false policies or procedures that your company doesn’t actually follow. This includes plagiarized policy templates that do not reflect your actual workplace practices.
3. Don’t ignore the calls of the Department of Health and Human Services. You can suffer from major fines – one company was given a $3 million fine just for avoiding their calls, while their actual HIPAA violation fine was $1.3 million.

Webinar attendees were also given the opportunity to ask questions. Here’s some of the Q&A (view the full transcript):

Q: What’s a reasonable amount to expect to pay for a risk assessment or HIPAA audit?

A: Anywhere from $500 to $5,000 or $10,000, if you want the in-house training, all of the policies and procedures drafted for you, and if you need any additional services.

Q: Who should be responsible in a Healthcare organization for monitoring HIPAA? Should it be those primarily involved in Compliance? HR? Legal? IT? Everybody?

A: Actually, there is a requirement under HIPAA that each organization have a privacy officer. That is the person that is supposed to be in charge of monitoring these types of things. For example, if you are an organization that deals with HIPAA and you see patients, you are supposed to offer them a notice of privacy practices. It’s best for organizations to appoint one individual to monitor these types of developments because if you have multiple people, it gets very confusing.

Q: What’s the best way to handle PHI (protected health information) in email?

A: Don’t do it. Email is not a secure form of communication. Unless you’re sending encrypted email, you should not do it whatsoever.

This is just a sample of the discussion – view the slides, read the entire transcript and play the HIPAA webinar video on our site.

Tatiana Melnik, Attorney, Dickinson Wright PLLC

Tatiana Melnik is an attorney with the Dickinson Wright law firm where her practice focuses on information technology, healthcare information technology, intellectual property and privacy issues. Ms. Melnik sits on the Michigan Bar Information Technology Law Council, the Automation Alley Information Technology Committee, and is a Managing Editor of the Nanotechnology Law & Business Journal. Ms. Melnik holds a JD from the University of Michigan Law School, and a BS in Information Systems and BBA in International Business, both from the University of North Florida. Ms. Melnik regularly writes and speaks on issues surrounding healthcare information technology. Ms. Melnik will be speaking at the 2011 HIMSS Fall Technology Conference in Indianapolis on Social Media and Healthcare. Contact information is available at our site.