how not to fail your hipaa and meaningful use audit

1 Copyright 2007-2015 855-85-HIPAA

www.compliancygroup.com

How NOT To Fail Your HIPAA/Meaningful

Use Audit ��



Today’s Lesson

§  Are you HIPAA compliant? §  The BIG misconception §  HIPAA Overview §  HIPAA vs. Meaningful Use §  Phase 2 Audits §  How to pass your audit §  Breaches and enforcement



Are YOU HIPAA Compliant?



Policies and Procedures

§  I have a Manual, I am compliant “right”?



Workforce Training

* Cost for 10 employee practice



Risk Assessments §  I had an expensive Security Risk Assessment done §  Am I compliant now?



The BIG Misconception

§  CEs fail to understand the difference between HIPAA and HITECH.

§  A Risk Assessment is only a part of HIPAA compliance.

§  ALL aspects of HIPAA are needed to pass an audit.

“I completed a Risk Assessment, I’m HIPAA Compliant.”

•  70% of Covered Entities are not compliant

•  79% of Covered Entities fail their Meaningful Use audit



1 in 4 Americans

§  THREE Prison sentences §  Indiana Dentist – License Permanently

Revoked for “Mishandling medical records”

§  Wellpoint Inc. – $1.7 Million settlement caused by BA performing software upgrade

Trends in HIPAA

Affected by Anthem Breach

HIPAA compliance as a differentiator §  Fitbit Inc. – announces its HIPAA compliance

•  Stock price soared, expanded corporate wellness (Target Corporation)

No

np

rofit

(A

lask

a)

$150k

Pha

rma

cy

(Co

lora

do

)

$125k Ph

ysic

ian

Pra

ctic

e

(Ind

ian

a)

$750k

Ho

spita

l (T

exa

s)

$4.4M Violation Settlements

Q1 2015

De

ntis

t (In

dia

na

)

$12k



HIPAA & HITECH

§  HIPAA •  Protect patient confidentiality

while furthering innovation and patient care.

§  HITECH/Meaningful Use •  Accelerate adoption of

EHR(electronic Health records). §  Omnibus

•  Business Associates must protect PHI.

§  Penalties or Incentives for adherence

OMNIBUS



Privacy

Rule Security

Rule

Breach Notification

Rule

§  requires safeguards to ensure only those who should have access to electronic protected health information (ePHI) will have access.

§  sets standards for when protected health information (PHI) may be used and disclosed.

§  Breaches of unsecured PHI require notifying HHS, affected individuals, and in some cases the media.



Administrative Audit Privacy

Audit

Security

Audit

HIPAA Security Rule Standards

Meaningful Use Risk Assessment



Attesting For Meaningful Use

§  Providers required to demonstrate Meaningful Use EVERY year

§  Risk Assessment - required for each reporting period for BOTH Stages 1 and 2 •  “Conduct accurate and thorough

assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.”*



Phase 2 Audits

§  BOTH Covered Entities and Business Associates will be audited

§  OCR (Office of Civil Rights) audit request sent 2 weeks prior to audit

§  Stricter audit protocols §  Vendor to carry out audits has been

selected – FCi Federal



The Seven Fundamental Elements of an Effective Compliance Program

Compliance according to HHS:

1.  Implementing written policies, procedures and standards of conduct. 2.  Designating a compliance officer and compliance committee. 3.  Conducting effective training and education.

4.  Developing effective lines of communication. 5.  Conducting internal monitoring and auditing. 6.  Enforcing standards through well-publicized disciplinary guidelines. 7.  Responding promptly to detected offenses and undertaking

corrective action.

*Source HHS & OIG



Passing Your Audit (I)

§  Must complete or update a comprehensive Risk Assessment within the last 12 months

§  Confirm deficiencies discovered during Risk Assessment were addressed or have a reasonable timeline

§  If addressable standards of the Security Rule were not implemented, you MUST document: •  WHY the standard was not appropriate or reasonable •  Alternate security measures that were implemented Remediation

Plans

Audits SRA (Security Risk

Assessment), Administrative,

Privacy



Passing Your Audit (II)

§  Breach Notification Policy must reflect the latest Breach Notification Standards

§  Must have Notice of Privacy Practices (not just on your website)

§  Policies and procedures must be updated §  Employees must be trained on HIPAA

•  Required annually or as changes are made to policies and procedures

Policies, Procedures & Training

Document Version

Employee Attestation &

Tracking



Passing Your Audit (III)

§  Update database of Business Associates •  BAAs, must reflect Omnibus changes

§  Inventory of IT devices with access §  Proper and reasonable safeguards for PHI that

exists in any form, paper or electronic §  Review your compliance plan §  Maintain your compliance

Business Associate

Management

Incident Management



Laptop Theft

§  A radiation oncology private physician practice, Cancer Care Group, P.C.

§  A laptop theft lead to breach §  But lack of comprehensive risk analysis

and device and media control policy lead to a steep penalty

§  Settlement: $775,000 (9/2/15)



Mishandling PHI

§  Kokomo-area dentist, Dr. Joseph Beck §  “Mishandled medical records

containing sensitive information of more than 5,600 patients.”

§  Settlement: $12,000 and Dr. Beck’s license to practice dentistry was permanently revoked (1/9/15)



Practice Sued By Patients

§  Midwest Women’s Healthcare specialists improperly disposed PHI of 1,532 patients in May 2014

§  Class-action lawsuit brought by patients

§  Settlement: $400,000 (12/4/14) §  HHS Fine: $$$$$$ (TBD)



Avoidable Breach

§  Nonprofit org. - Anchorage Community Mental Health Services (ACMHS)

§  Malware caused breach of unsecured ePHI §  “ACMHS had adopted policies and procedures

in 2005, but these policies and procedures were not followed and/or updated.”

§  ACMHS could have avoided the breach (and not be subject to the settlement agreement), if it had followed its own policies and procedures

§  Settlement: $150,000 and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program (1/5/15)



Breaches Are On The Rise

*2015 data through September 18, 2015; Source: HHS Office for Civil Rights



The Problems With Industry Solutions A Risk Assessment is NOT enough!

u Typical solutions - Policy, Procedures, and Training templates and/or a Security Risk Assessment.

u Only address pieces of compliance and require additional costs for additional components.

u Leads to cumbersome internal efforts, outside resources, and no assurance of compliance.

Total Cost of Compliance (single location practice/organization)

per year



Solving The HIPAA Compliance Puzzle

u The pieces of HIPAA compliance.

u Every piece must be completed annually or as the regulations change.

u Missing even one piece can result in fines or loss of reputation.

Audits SRA (Security Risk

Assessment), Administrative,

Privacy

Remediation Plans

Policies, Procedures & Training

Business Associate

Management

Incident Management

Document Version

Employee Attestation &

Tracking



Compliance Questions?

For more information, contact:

Sales & Demo Scheduling Questions Marc Haskelson

855.854.4722 ext 507 [email protected]

HIPAA Questions Bob Grant

855.854.4722 ext 502 [email protected]



Until Next Time!

how not to fail your hipaa and meaningful use audit

Education