How to Survive a HIPAA Audit
-
Upload
compliancy-group -
Category
Health & Medicine
-
view
64 -
download
1
Transcript of How to Survive a HIPAA Audit
855.85HIPAA www.compliancygroup.com 1 Copyright 2007-2015
855.85HIPAA www.compliancygroup.com 2 Copyright 2007-2015
HIPAA compliance • Mandatory for 7,000,0000 Covered Entities (CE) & Business
Associates (BA) • 70% of the market is NOT compliant!
HITECH/EHR incentive requires: • Stage 1. Risk Assessment for Meaningful Use Core Measure 15 • Stage 2. Illustrate corrective actions
Omnibus Rule • Compliance date was September 2013 • Requires CEs/BAs to be HIPAA compliant • CE must have (BAAs) Business Associate Agreements
HIPAA Compliance
855.85HIPAA www.compliancygroup.com 3 Copyright 2007-2015
• Only Covered Entities were audited • ONLY 11% had no findings/observations • 98% of health care providers had at least one
negative finding • Small-sized Covered Entities struggled with all three
HIPAA Standards
Phase 1 Audit Results
855.85HIPAA www.compliancygroup.com 4 Copyright 2007-2015
• BOTH Covered Entities and Business Associates will be audited
• OCR (Office of Civil Rights) audit request sent 2 weeks prior to audit
• Stricter audit protocols
Phase 2 Audits
855.85HIPAA www.compliancygroup.com 5 Copyright 2007-2015
• Risk Assessment must be completed or updated within the last 12 months
• Deficiencies discovered during Risk Assessment must be addressed or have a reasonable timeline
• Updated policies and procedures • HIPAA training for Employees • Required annually or as changes are made to policies/
procedures
Audit Preparation
855.85HIPAA www.compliancygroup.com 6 Copyright 2007-2015
• Updated database of Business Associates • BAAs, must reflect Omnibus changes
• Inventory of IT devices with access to ePHI • Proper and reasonable safeguards for PHI that exists
in any form, paper or electronic • Review your compliance plan
Audit Preparation (continued)
855.85HIPAA www.compliancygroup.com 7 Copyright 2007-2015
• “HHS and OCR aren't interested in my practice.” • “It’s really hard, complicated and I am better off ignoring it.” • “HIPAA is just that form we have patients sign – That’s
enough.” • “All I need is a Risk Assessment.”
HIPAA Misconceptions
855.85HIPAA www.compliancygroup.com 8 Copyright 2007-2015
Step 1. Assess where you are against the regulation (GAP) • The key to a risk analysis is auditing yourself against
the administrative, technical, and physical aspects of HIPAA • A risk analysis will help you attest to Meaningful Use Stage 1 Core
Requirement 15
Step 2. Remediation Plan • Prove that you remediated the deficiencies identified in the risk
analysis • Policies & Procedures, Training, and Attestation
Compliance Plan
855.85HIPAA www.compliancygroup.com 9 Copyright 2007-2015
Step 3. How do you prove it? Successful compliance plans address: • Administration and Technical • Policies and Procedures
• IT security • Devices installed and maintained within your organization
• Physical • Security within physical locations of your practice(s)
(Meaningful Use Stage 2 Core Requirement 9 requires remediation of found deficiencies during the risk analysis to be documented and completed) Step 4. Maintain your compliance • As the regulations, staff, and practice changes
855.85HIPAA www.compliancygroup.com 10 Copyright 2007-2015
Questions?
For more information, contact:
Sales & Demo Scheduling Questions
Marc Haskelson 855.854.4722 ext 507
HIPAA Questions Bob Grant
855.854.4722 ext 502 [email protected]
855.85HIPAA www.compliancygroup.com 11 Copyright 2007-2015
855.85HIPAA www.compliancygroup.com 12 Copyright 2007-2015
HIPAA Education Series sponsored by:
www.compliancy-group.com 855.85 HIPAA (855.854.4722)
Compliance In 3 Steps!
To find out more call: 855.854.4722or email: [email protected]
TheGuard
OutsideConsultant
Manualsor
Templates
RiskAssessment
Provider
OtherCompliance
Software