Text. What the Heck is a HIPAA AUDIT? Presented by Sue Miller

Size: px

Start display at page:

Download "Text. What the Heck is a HIPAA AUDIT? Presented by Sue Miller"

Cameron Harris
5 years ago
Views:

1 Text What the Heck is a HIPAA AUDIT? Presented by Sue Miller

2 What to do before you are Audited? What to do after you are Audited?

3 AGENDA Types of Enforcement Review 2016 OCR HIPAA Audits, Phase 2 Effective Compliance Program Effective Audit Questions

4 Types of Enforcement Complaint Investigation Criminal Audit

5 Complaints Complaints to the Secretary - in the original 1996 Law and related regulations: 45 CFR Complaint Requirements - Your complaint must: 1. Be filed in writing 2. Name the covered entity 3. Be filed within 180 days occurrence...

6 Investigation Investigations - from the original 1996 HIPAA Law and related regulations: Results in: Resolution Agreements Corrective Action Plans Penalties and Fines

7 HIPAA Criminal Enforcement

8 Penalties and Fines Violations Amount per Violation Violations of an identical provision in a calendar year Did not know $100 - $50,000 $1,500,000 Reasonable cause $ $50,000 $1,500,000 Willful neglect - corrected $10,000 - $50,000 $1,500,000 Willful neglect not corrected $50,000 $1,500,000

9 1 2 3

Phase 2 Audits Released March 21, 2016: http://www.hhs.gov/hipaa/forprofessionals/complianceenforcement/audit/index.

and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and

10 Phase 2 Audits Released March 21, 2016: The 2016 Phase 2 HIPAA Audit Program will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules Can grow into an investigation and Result in: Resolution Agreements Corrective Action Plans Penalties and Fines

11 OCR 2016 HIPAA Desk Audit Guidance on Selected Protocols Privacy Notice of Privacy Practice Content Requirements, (a)(1) + (b)(1) Provision of Notice Electronic Notice, (c)(3) Right to Access, (a)(1), (b)(1), (b)(2), (c)(2), (c)(3), (c)(4), (d)(1), (d)(3) Security Security Management Process Risk Analysis, (a)(1)(ii)(a) Security Management Process Risk Management, (a)(1)(ii)(b) Breach Timeliness of Notification, (b) Content of Notification, (c)(1)

13 OCR 2016 HIPAA Desk Audit Slides from audited entity webinar held July 13, 2016 Comprehensive question and answer listing Learn more about the Audit Program Protocol

14 1 2 3

15 NOW FOR THE HARD WORK Before an Audit

16 Collect All HIPAA Documentation Policies, Procedures, Plans and Process Risk Analysis/Assessment Inventories Contingency Plan (DR/BC) Training Plan, Training Communication Plan Breach Notification Plan Remote Access Survey Job Descriptions Meeting Agendas, Meeting Notes Mitigation Plans Compliance and Monitoring Plan

17 Yearly HIPAA Work HIPAA Security Review, including Risk Analysis/Assessment HIPAA Privacy Review HIPAA Breach Review

18 Compliance Monitoring With an event Breach or Security Incident New facilities New security controls New technology New regulations New services

19 1 2 3

20 NOW FOR THE HARD WORK After OCR Schedules an Audit

Notify Your Attorney Forward email, or acknowledge call and forward to appropriate manager

21 Notify Your Attorney Forward , or acknowledge call and forward to appropriate manager This is not a failure on your part Be pleasant and polite Respond it the appropriate timeframe

No More Documentation than asked Send the following:* Most recent Notice of Privacy Practices + Policy and Procedures on Electronic Notice, plus URL Most Recent Right to Access Policy and Procedures,

22 No More Documentation than asked Send the following:* Most recent Notice of Privacy Practices + Policy and Procedures on Electronic Notice, plus URL Most Recent Right to Access Policy and Procedures, outline of access requests, template letter Most recent Risk Analysis Policies and Procedures, documentation of current risk analysis + results Most recent Risk Management Policies and Procedures, documentation of efforts to manage risk; documentation of security controls Documentation of 5 breach incidents of previous year affecting fewer than 500 individuals, date of notification, reason of any delay in notification *selected from the Document Requested List column

23 1 2 3

24 STRAIGHT FROM THE HORSE S MOUTH!

25 Jocelyn Samuels, OCR Director NIST Safeguarding Health Information: Building Assurance through HIPAA Security, October 19, 2016 Transparency Extensive information on the website, including all the protocols Doing PRIMARILY bench audits Some on-site audits in 2017 NOT A GOT YA Game Want to find HIPAA problems before they ripen into HIPAA VIOLATIONS Will use to publish more guidance documents Will report anonymized data to the public and Congress HIPAA ENFORCEMENT are to hold covered entities and business associates accountable for their responsibilities

26 Deven McGraw, Deputy Director, OCR Desk audits of covered entities underway 167 on-going covered entity audit right now Asked for risk analysis, risk management plan and NPP Business associate audits will begin November 2017 Most covered entities provided lists of business associates OCR now has a list of 20,000 business associates Not asking for follow on business associates this round Business associates audits will be the same as covered entities Will be asked for risk analysis, risk management plan, and breach notification plan

27 Litmos Healthcare Award winning Learning Management Platform Attentive and responsive Sales & Client Care Over 500 courses available Customizable Affordable Free Trial Sophisticate Secure Robust

28 QUESTIONS??????? WHO? WHAT? WHEN?

29 Thank You Please contact: Susan A. Miller, JD O = (978) tmsam@aol.com