HIPAA Compliance. Mandatory for 7 MILLION Covered Entities (CE) & Business Associates (BA) 70% of the market is NOT compliant!

Transcription

1 1

2 HIPAA compliance Mandatory for 7 MILLION Covered Entities (CE) & Business Associates (BA) 70% of the market is NOT compliant! HITECH/EHR incentive requires: Stage 1. Risk Assessment for Meaningful Use Core Measure 15 Stage 2. Illustrate corrective actions Omnibus Rule HIPAA Compliance Compliance date was September 2013 Requires CEs/BAs to be HIPAA compliant CE must have (BAAs) Business Associate Agreements 2

3 Phase 1 Audit Results Only Covered Entities were audited ONLY 11% had no findings/observations 98% of health care providers had at least one negative finding Small-sized Covered Entities struggled with all three HIPAA Standards 3

4 BOTH Covered Entities and Business Associates will be audited Stricter audit protocols Phase 2 Audits OCR (Office of Civil Rights) have started sending Pre-Audit Screening surveys said no one ever 4

5 Pre-Audit Screening Surveys Randomly selected from National Provider Identifier (NPI) database and America s Health Insurance Plans databases A pool of 550 to 800 entities selected for surveys 2 weeks to respond 5

6 Phase 2 Pre-Audit Screening Surveys 6

7 Will focus on: Areas of greater risk to PHI Non-compliance issues observed during Phase 1 Risk Analysis/Assessments Phase 2 Audits Breach Notifications Notice of Privacy Practices Workforce member training Identifying best practices Uncover risks/vulnerabilities not yet identified 7

8 The Seven Fundamental Elements of an Effective Compliance Program 1. Implementing written policies, procedures and standards of conduct. 2. Designating a compliance officer and compliance committee. 3. Conducting effective training and education. 4. Developing effective lines of communication. 5. Conducting internal monitoring and auditing. 6. Enforcing standards through well-publicized disciplinary guidelines. 7. Responding promptly to detected offenses and undertaking corrective action. *Source HHS & OIG 8

9 Phase 2 Preparation Protocols Confirm the organization has recently completed a comprehensive assessment Risk Assessment. Confirm that all action items identified in the Risk Assessment have been completed or are on a reasonable timeline to completion. Ensure that the organization has a complete inventory of BAs and their contact information for purposes of the Phase 2 Audit data requests. If the organization has not implemented any of the Security Standards addressable implementation standards for any of its information systems, documentation requires: (1) Why any such addressable implementation standard was not reasonable and appropriate, (2) All alternative security measures that were implemented Ensure that the organization has implemented a breach notification policy that accurately reflects the content and deadline. requirements for breach notification under the Breach Notification Standards. For health care provider and health plan covered entities, ensure that the organization has a compliant Notice of Privacy Practices and not just a website privacy notice. 9

10 Phase 2 Preparation Protocols (Cont.) Ensure the organization has reasonable and appropriate safeguards in place for PHI that exists in any form, including paper and verbal PHI. Confirm that workforce members have received training on the HIPAA Standards that are necessary or appropriate for workforce members to perform their job duties. Confirm that the organization maintains an inventory of information system assets, including mobile devices (even in a bring-your-own-device environment). Confirm all systems and software that transmit electronic PHI employ encryption technology, or that the organization has a documented risk analysis supporting the decision not to employ encryption. Confirm the organization has adopted a facility security plan for each physical location that stores or otherwise has access to PHI, in addition to a security policy that requires a physical security plan. Review the organization s HIPAA security policies to identify any actions that have not been completed as required (physical security plan, disaster recovery plan, emergency access procedures, etc.). 10

11 HIPAA Misconceptions HHS and OCR aren't interested in my practice. It s really hard, complicated and I am better off ignoring it. HIPAA is just that form we have patients sign That s enough. All I need is a Risk Assessment. 11

12 Compliance Plan Step 1. Assess where you are against the regulation (GAP) The key to a risk analysis is auditing yourself against the administrative, technical, and physical aspects of HIPAA A risk analysis will help you attest to Meaningful Use Stage 1 Core Requirement 15 Step 2. Remediation Plan Prove that you remediated the deficiencies identified in the risk analysis Policies & Procedures, Training, and Attestation 12

13 Compliance Plan (Continued) Step 3. How do you prove it? Successful compliance plans address: Administration and Technical Policies and Procedures IT security Devices installed and maintained within your organization Physical Security within physical locations of your practice(s) (Meaningful Use Stage 2 Core Requirement 9 requires remediation of found deficiencies during the risk analysis to be documented and completed) Step 4. Maintain your compliance As the regulations, staff, and practice changes 13

14 Compliance In 3 Steps! HIPAA Education Series sponsored by: HIPAA ( ) 14

15 15

16 Questions? For more information, contact: Sales & Demo Scheduling Ques3ons Marc Haskelson ext 507 HIPAA Ques3ons Bob Grant ext

17 17