Post on 06-Aug-2015
1 Copyright 2007-2015
2 Copyright 2007-2015
HIPAA compliance § Mandatory for 7 MILLION Covered Entities (CE) & Business
Associates (BA) § 70% of the market is NOT compliant!
HITECH/EHR incentive requires: § Stage 1. Risk Assessment for Meaningful Use Core Measure 15 § Stage 2. Illustrate corrective actions
Omnibus Rule § Compliance date was September 2013 § Requires CEs/BAs to be HIPAA compliant § CE must have (BAAs) Business Associate Agreements
HIPAA Compliance
3 Copyright 2007-2015
§ Only Covered Entities were audited § ONLY 11% had no findings/observations § 98% of health care providers had at least one
negative finding § Small-sized Covered Entities struggled with all three
HIPAA Standards
Phase 1 Audit Results
4 Copyright 2007-2015
§ BOTH Covered Entities and Business Associates will be audited
§ Stricter audit protocols § OCR (Office of Civil Rights) have started sending
Pre-Audit Screening surveys
Phase 2 Audits
…said no one ever
5 Copyright 2007-2015
§ Randomly selected from National Provider Identifier (NPI) database and America’s Health Insurance Plans databases
§ A pool of 550 to 800 entities selected for surveys § 2 weeks to respond
Pre-Audit Screening Surveys
6 Copyright 2007-2015
Phase 2 Pre-Audit Screening Surveys
7 Copyright 2007-2015
Will focus on: § Areas of greater risk to PHI § Non-compliance issues observed during Phase 1
• Risk Analysis/Assessments • Breach Notifications • Notice of Privacy Practices • Workforce member training
§ Identifying best practices § Uncover risks/vulnerabilities not yet identified
Phase 2 Audits
8 Copyright 2007-2015
1. Implementing written policies, procedures and standards of conduct.
2. Designating a compliance officer and compliance committee.
3. Conducting effective training and education. 4. Developing effective lines of communication. 5. Conducting internal monitoring and auditing. 6. Enforcing standards through well-publicized disciplinary
guidelines. 7. Responding promptly to detected offenses and undertaking
corrective action.
*Source HHS & OIG
The Seven Fundamental Elements of an
Effective Compliance Program
9 Copyright 2007-2015
§ Confirm the organization has recently completed a comprehensive assessment Risk Assessment.
§ Confirm that all action items identified in the Risk Assessment have been completed or are on a reasonable timeline to completion.
§ Ensure that the organization has a complete inventory of BAs and their contact information for purposes of the Phase 2 Audit data requests.
§ If the organization has not implemented any of the Security Standards’ addressable implementation standards for any of its information systems, documentation requires:
(1) Why any such addressable implementation standard was not reasonable and appropriate, (2) All alternative security measures that were implemented
§ Ensure that the organization has implemented a breach notification policy that accurately reflects the content and deadline. requirements for breach notification under the Breach Notification Standards.
§ For health care provider and health plan covered entities, ensure that the organization has a compliant Notice of Privacy Practices and not just a website privacy notice.
Phase 2 Preparation Protocols
10 Copyright 2007-2015
§ Ensure the organization has reasonable and appropriate safeguards in place for PHI that exists in any form, including paper and verbal PHI.
§ Confirm that workforce members have received training on the HIPAA Standards that are necessary or appropriate for workforce members to perform their job duties.
§ Confirm that the organization maintains an inventory of information system assets, including mobile devices (even in a bring-your-own-device environment).
§ Confirm all systems and software that transmit electronic PHI employ encryption technology, or that the organization has a documented risk analysis supporting the decision not to employ encryption.
§ Confirm the organization has adopted a facility security plan for each physical location that stores or otherwise has access to PHI, in addition to a security policy that requires a physical security plan.
§ Review the organization’s HIPAA security policies to identify any actions that have not been completed as required (physical security plan, disaster recovery plan, emergency access procedures, etc.).
Phase 2 Preparation Protocols (Cont.)
11 Copyright 2007-2015
§ “HHS and OCR aren't interested in my practice.” § “It’s really hard, complicated and I am better off ignoring it.” § “HIPAA is just that form we have patients sign – That’s enough.” § “All I need is a Risk Assessment.”
HIPAA Misconceptions
12 Copyright 2007-2015
Step 1. Assess where you are against the regulation (GAP)
§ The key to a risk analysis is auditing yourself against the administrative, technical, and physical aspects of HIPAA
§ A risk analysis will help you attest to Meaningful Use Stage 1 Core Requirement 15
Step 2. Remediation Plan § Prove that you remediated the deficiencies identified in
the risk analysis § Policies & Procedures, Training, and Attestation
Compliance Plan
13 Copyright 2007-2015
Step 3. How do you prove it? Successful compliance plans address:
§ Administration and Technical • Policies and Procedures
§ IT security • Devices installed and maintained within your organization
§ Physical • Security within physical locations of your practice(s)
(Meaningful Use Stage 2 Core Requirement 9 requires remediation of found deficiencies during the risk analysis to be documented and completed) Step 4. Maintain your compliance
§ As the regulations, staff, and practice changes
Compliance Plan (Continued)
14 Copyright 2007-2015
HIPAA Education Series sponsored by:
www.compliancy-group.com 855.85 HIPAA (855.854.4722)
Compliance In 3 Steps!
To find out more call: 855.854.4722or email: info@compliancygroup.com
TheGuard
OutsideConsultant
Manualsor
Templates
RiskAssessment
Provider
OtherCompliance
Software
15 Copyright 2007-2015
16 Copyright 2007-2015
Questions?
For more information, contact:
Sales & Demo Scheduling Ques3ons Marc Haskelson
855.854.4722 ext 507 marc@compliancygroup.com
HIPAA Ques3ons Bob Grant
855.854.4722 ext 502 bob@compliancygroup.com
17 Copyright 2007-2015