855.85HIPAA www.compliancygroup.com 1 Copyright 2007-2015

855.85HIPAA www.compliancygroup.com 2 Copyright 2007-2015

HIPAA compliance •  Mandatory for 7,000,0000 Covered Entities (CE) & Business

Associates (BA) •  70% of the market is NOT compliant!

HITECH/EHR incentive requires: •  Stage 1. Risk Assessment for Meaningful Use Core Measure 15 •  Stage 2. Illustrate corrective actions

Omnibus Rule •  Compliance date was September 2013 •  Requires CEs/BAs to be HIPAA compliant •  CE must have (BAAs) Business Associate Agreements

HIPAA Compliance

855.85HIPAA www.compliancygroup.com 3 Copyright 2007-2015

•  Only Covered Entities were audited •  ONLY 11% had no findings/observations •  98% of health care providers had at least one

negative finding •  Small-sized Covered Entities struggled with all three

HIPAA Standards

Phase 1 Audit Results

855.85HIPAA www.compliancygroup.com 4 Copyright 2007-2015

•  BOTH Covered Entities and Business Associates will be audited

•  OCR (Office of Civil Rights) audit request sent 2 weeks prior to audit

•  Stricter audit protocols

Phase 2 Audits

855.85HIPAA www.compliancygroup.com 5 Copyright 2007-2015

•  Risk Assessment must be completed or updated within the last 12 months

•  Deficiencies discovered during Risk Assessment must be addressed or have a reasonable timeline

•  Updated policies and procedures •  HIPAA training for Employees •  Required annually or as changes are made to policies/

procedures

Audit Preparation

855.85HIPAA www.compliancygroup.com 6 Copyright 2007-2015

•  Updated database of Business Associates •  BAAs, must reflect Omnibus changes

•  Inventory of IT devices with access to ePHI •  Proper and reasonable safeguards for PHI that exists

in any form, paper or electronic •  Review your compliance plan

Audit Preparation (continued)

855.85HIPAA www.compliancygroup.com 7 Copyright 2007-2015

•  “HHS and OCR aren't interested in my practice.” •  “It’s really hard, complicated and I am better off ignoring it.” •  “HIPAA is just that form we have patients sign – That’s

enough.” •  “All I need is a Risk Assessment.”

HIPAA Misconceptions

855.85HIPAA www.compliancygroup.com 8 Copyright 2007-2015

Step 1. Assess where you are against the regulation (GAP) •  The key to a risk analysis is auditing yourself against

the administrative, technical, and physical aspects of HIPAA •  A risk analysis will help you attest to Meaningful Use Stage 1 Core

Requirement 15

Step 2. Remediation Plan •  Prove that you remediated the deficiencies identified in the risk

analysis •  Policies & Procedures, Training, and Attestation

Compliance Plan

855.85HIPAA www.compliancygroup.com 9 Copyright 2007-2015

Step 3. How do you prove it? Successful compliance plans address: •  Administration and Technical •  Policies and Procedures

•  IT security •  Devices installed and maintained within your organization

•  Physical •  Security within physical locations of your practice(s)

(Meaningful Use Stage 2 Core Requirement 9 requires remediation of found deficiencies during the risk analysis to be documented and completed) Step 4. Maintain your compliance •  As the regulations, staff, and practice changes

855.85HIPAA www.compliancygroup.com 10 Copyright 2007-2015

Questions?

For more information, contact:

Sales & Demo Scheduling Questions

Marc Haskelson 855.854.4722 ext 507

marc@compliancygroup.com

HIPAA Questions Bob Grant

855.854.4722 ext 502 bob@compliancygroup.com

855.85HIPAA www.compliancygroup.com 11 Copyright 2007-2015

855.85HIPAA www.compliancygroup.com 12 Copyright 2007-2015

HIPAA Education Series sponsored by:

www.compliancy-group.com 855.85 HIPAA (855.854.4722)

Compliance In 3 Steps!

To find out more call: 855.854.4722or email: info@compliancygroup.com

TheGuard

OutsideConsultant

Manualsor

Templates

RiskAssessment

Provider

OtherCompliance

Software