how not to fail your hipaa and meaningful use audit
TRANSCRIPT
1 Copyright 2007-2015 855-85-HIPAA
www.compliancygroup.com
How NOT To Fail Your HIPAA/Meaningful
Use Audit ���
2 Copyright 2007-2015 855-85-HIPAA
www.compliancygroup.com
Today’s Lesson
§ Are you HIPAA compliant? § The BIG misconception § HIPAA Overview § HIPAA vs. Meaningful Use § Phase 2 Audits § How to pass your audit § Breaches and enforcement
4 Copyright 2007-2015 855-85-HIPAA
www.compliancygroup.com
Policies and Procedures
§ I have a Manual, I am compliant “right”?
5 Copyright 2007-2015 855-85-HIPAA
www.compliancygroup.com
Workforce Training
* Cost for 10 employee practice
6 Copyright 2007-2015 855-85-HIPAA
www.compliancygroup.com
Risk Assessments § I had an expensive Security Risk Assessment done § Am I compliant now?
7 Copyright 2007-2015 855-85-HIPAA
www.compliancygroup.com
The BIG Misconception
§ CEs fail to understand the difference between HIPAA and HITECH.
§ A Risk Assessment is only a part of HIPAA compliance.
§ ALL aspects of HIPAA are needed to pass an audit.
“I completed a Risk Assessment, I’m HIPAA Compliant.”
• 70% of Covered Entities are not compliant
• 79% of Covered Entities fail their Meaningful Use audit
8 Copyright 2007-2015 855-85-HIPAA
www.compliancygroup.com
1 in 4 Americans
§ THREE Prison sentences § Indiana Dentist – License Permanently
Revoked for “Mishandling medical records”
§ Wellpoint Inc. – $1.7 Million settlement caused by BA performing software upgrade
Trends in HIPAA
Affected by Anthem Breach
HIPAA compliance as a differentiator § Fitbit Inc. – announces its HIPAA compliance
• Stock price soared, expanded corporate wellness (Target Corporation)
No
np
rofit
(A
lask
a)
$150k
Pha
rma
cy
(Co
lora
do
)
$125k Ph
ysic
ian
Pra
ctic
e
(Ind
ian
a)
$750k
Ho
spita
l (T
exa
s)
$4.4M Violation Settlements
Q1 2015
De
ntis
t (In
dia
na
)
$12k
9 Copyright 2007-2015 855-85-HIPAA
www.compliancygroup.com
HIPAA & HITECH
§ HIPAA • Protect patient confidentiality
while furthering innovation and patient care.
§ HITECH/Meaningful Use • Accelerate adoption of
EHR(electronic Health records). § Omnibus
• Business Associates must protect PHI.
§ Penalties or Incentives for adherence
OMNIBUS
10 Copyright 2007-2015 855-85-HIPAA
www.compliancygroup.com
Privacy
Rule Security
Rule
Breach Notification
Rule
§ requires safeguards to ensure only those who should have access to electronic protected health information (ePHI) will have access.
§ sets standards for when protected health information (PHI) may be used and disclosed.
§ Breaches of unsecured PHI require notifying HHS, affected individuals, and in some cases the media.
11 Copyright 2007-2015 855-85-HIPAA
www.compliancygroup.com
Administrative Audit Privacy
Audit
Security
Audit
HIPAA Security Rule Standards
Meaningful Use Risk Assessment
12 Copyright 2007-2015 855-85-HIPAA
www.compliancygroup.com
Attesting For Meaningful Use
§ Providers required to demonstrate Meaningful Use EVERY year
§ Risk Assessment - required for each reporting period for BOTH Stages 1 and 2 • “Conduct accurate and thorough
assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.”*
13 Copyright 2007-2015 855-85-HIPAA
www.compliancygroup.com
Phase 2 Audits
§ BOTH Covered Entities and Business Associates will be audited
§ OCR (Office of Civil Rights) audit request sent 2 weeks prior to audit
§ Stricter audit protocols § Vendor to carry out audits has been
selected – FCi Federal
14 Copyright 2007-2015 855-85-HIPAA
www.compliancygroup.com
The Seven Fundamental Elements of an Effective Compliance Program
Compliance according to HHS:
1. Implementing written policies, procedures and standards of conduct. 2. Designating a compliance officer and compliance committee. 3. Conducting effective training and education.
4. Developing effective lines of communication. 5. Conducting internal monitoring and auditing. 6. Enforcing standards through well-publicized disciplinary guidelines. 7. Responding promptly to detected offenses and undertaking
corrective action.
*Source HHS & OIG
15 Copyright 2007-2015 855-85-HIPAA
www.compliancygroup.com
Passing Your Audit (I)
§ Must complete or update a comprehensive Risk Assessment within the last 12 months
§ Confirm deficiencies discovered during Risk Assessment were addressed or have a reasonable timeline
§ If addressable standards of the Security Rule were not implemented, you MUST document: • WHY the standard was not appropriate or reasonable • Alternate security measures that were implemented Remediation
Plans
Audits SRA (Security Risk
Assessment), Administrative,
Privacy
16 Copyright 2007-2015 855-85-HIPAA
www.compliancygroup.com
Passing Your Audit (II)
§ Breach Notification Policy must reflect the latest Breach Notification Standards
§ Must have Notice of Privacy Practices (not just on your website)
§ Policies and procedures must be updated § Employees must be trained on HIPAA
• Required annually or as changes are made to policies and procedures
Policies, Procedures & Training
Document Version
Employee Attestation &
Tracking
17 Copyright 2007-2015 855-85-HIPAA
www.compliancygroup.com
Passing Your Audit (III)
§ Update database of Business Associates • BAAs, must reflect Omnibus changes
§ Inventory of IT devices with access § Proper and reasonable safeguards for PHI that
exists in any form, paper or electronic § Review your compliance plan § Maintain your compliance
Business Associate
Management
Incident Management
18 Copyright 2007-2015 855-85-HIPAA
www.compliancygroup.com
Laptop Theft
§ A radiation oncology private physician practice, Cancer Care Group, P.C.
§ A laptop theft lead to breach § But lack of comprehensive risk analysis
and device and media control policy lead to a steep penalty
§ Settlement: $775,000 (9/2/15)
19 Copyright 2007-2015 855-85-HIPAA
www.compliancygroup.com
Mishandling PHI
§ Kokomo-area dentist, Dr. Joseph Beck § “Mishandled medical records
containing sensitive information of more than 5,600 patients.”
§ Settlement: $12,000 and Dr. Beck’s license to practice dentistry was permanently revoked (1/9/15)
20 Copyright 2007-2015 855-85-HIPAA
www.compliancygroup.com
Practice Sued By Patients
§ Midwest Women’s Healthcare specialists improperly disposed PHI of 1,532 patients in May 2014
§ Class-action lawsuit brought by patients
§ Settlement: $400,000 (12/4/14) § HHS Fine: $$$$$$ (TBD)
21 Copyright 2007-2015 855-85-HIPAA
www.compliancygroup.com
Avoidable Breach
§ Nonprofit org. - Anchorage Community Mental Health Services (ACMHS)
§ Malware caused breach of unsecured ePHI § “ACMHS had adopted policies and procedures
in 2005, but these policies and procedures were not followed and/or updated.”
§ ACMHS could have avoided the breach (and not be subject to the settlement agreement), if it had followed its own policies and procedures
§ Settlement: $150,000 and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program (1/5/15)
22 Copyright 2007-2015 855-85-HIPAA
www.compliancygroup.com
Breaches Are On The Rise
*2015 data through September 18, 2015; Source: HHS Office for Civil Rights
23 Copyright 2007-2015 855-85-HIPAA
www.compliancygroup.com
The Problems With Industry Solutions A Risk Assessment is NOT enough!
u Typical solutions - Policy, Procedures, and Training templates and/or a Security Risk Assessment.
u Only address pieces of compliance and require additional costs for additional components.
u Leads to cumbersome internal efforts, outside resources, and no assurance of compliance.
Total Cost of Compliance (single location practice/organization)
per year
24 Copyright 2007-2015 855-85-HIPAA
www.compliancygroup.com
Solving The HIPAA Compliance Puzzle
u The pieces of HIPAA compliance.
u Every piece must be completed annually or as the regulations change.
u Missing even one piece can result in fines or loss of reputation.
Audits SRA (Security Risk
Assessment), Administrative,
Privacy
Remediation Plans
Policies, Procedures & Training
Business Associate
Management
Incident Management
Document Version
Employee Attestation &
Tracking
25 Copyright 2007-2015 855-85-HIPAA
www.compliancygroup.com
Compliance Questions?
For more information, contact:
Sales & Demo Scheduling Questions Marc Haskelson
855.854.4722 ext 507 [email protected]
HIPAA Questions Bob Grant
855.854.4722 ext 502 [email protected]