j. ira bedenbaugh - elliott davis · hipaa compliance • ocr has engaged fci federal to conduct...

What is happening with the Affordable Care Act and HIPAA?

© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC

J. Ira BedenbaughConsulting Shareholder

This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record of the discussion. This presentation is for informational purposes and does not contain or convey specific advice. It should not be used or relied upon in regard to any particular situation or circumstances without first consulting the appropriate advisor. No part of the presentation may be circulated, quoted, or reproduced for distribution without prior written approval from Elliott Davis Decosimo.


Affordable Care Act

• Employer Shared Responsibility Provision• 2016 – Penalties will apply to firms with 50 or more

employees who do not provide coverage or do not offer coverage which meets minimum value and affordability standards• President Obama recently signed legislation changing the

requirements for small businesses on the coverage and cost requirements


Affordable Care Act

• Accountable Care Organizations• Coordinate Medicare beneficiaries’ care and provide

services more efficiently• In 2014 • 196 ACOs saved Medicare money • 97 received bonuses• 157 ACOs had cost greater than Medicare expected• 3 ACOs had to pay back Medicare• Net impact was a $3 million loss to Medicare on the

$500 billion Medicare spent in 2014


Affordable Care Act

•Medicaid expansion• Medicaid enrollment expanded by 13.8% in FY 2015• Federal Medicaid spending increased by 13.9% in FY 2015

and State spending increased by 4.5% in FY 2015• In FY 2016, Federal Medicaid spending is expected to

increase 6.9% and States spending 4.2%


Affordable Care Act

• Insurance Exchange• Enrollment began November 1, 2015• 11.7 million selected plans by the end of the 2015

enrollment period• 9.9 million were enrolled at the end of June 2015• Goal of 10 million enrollees for 2016• 2016 – fines will be the greater of $695 per person

($347.50 per child under 18) or 2.5% of income• With the 2016 enrollment, consumers will be able to see if

their physicians are covered under specific plans


Affordable Care Act

• Insurance Co-ops• Created under the ACA to foster competition by offering

consumer friendly plans that offered greater choice and better coverage• Co-ops are in 23 states• 11 received notices that they must produce “corrective

plans”


Affordable Care Act

• Cadillac Tax• Scheduled to take effect in 2018• 40% excise tax on insurance plans that are deemed too

generous - premiums greater than $10,200 for an individual and $27,500 for a family• Options for governmental entities• Reduce benefits and therefore costs of plans• Pass along tax to taxpayers.

© Elliott Davis Decosimo, LLC

HIPAA

• In August 1996 Congress passed the Health Insurance Portability and Accountability Act of 1996 (HIPAA)• Improve portability and continuity of health insurance• Combat waste, fraud and abuse in health insurance and

health care delivery• Promote the use of medical savings accounts• Improve access to long term care• Simplify the administration of health insurance


Privacy Rules – Protected Health Information

• “Individually identifiable health information” held or transmitted by a covered entity or a business associate in any form or media• Demographic data• Individual’s past, present or future physical or mental

health or condition• Provision of health care to the individual• Past, present or future payment for the provision of

health care to the individual


Security Rule

• Published in February 2003 by the Department of Health and Human Services• Set national standards regarding electronic protected

health information (“ePHI”)• Confidentiality• Integrity• Availability


Security Rule – Protected Health Information

• Individually identifiable health information in an electronic form that an entity• Creates• Receives • Maintains• Transmits


Responsibilities of Covered Entity

• Covered entities must maintain reasonable and appropriate, technical and physical safeguards for protecting ePHI• Ensure the confidentiality, integrity and availability of all

ePHI which is created, received, maintained or transmitted• Identify and protect against reasonably anticipated

threats to the security or integrity of the ePHI• Protect against reasonably anticipated, impermissible

uses or disclosures• Ensure compliance by workforce


HIPAA Breaches

• Breaches reported in NC, SC, TN and VA beginning January 2014 through October 15, 2015

NC SC TN VA

Breaches 9 4 13 10

Individuals Effected 162,227 93,093 4,997,566 818,554

Individuals per Breach 18,025 23,273 384,428 81,855

Governmental Entities 2 1 1 1

Individuals Effected 49,707 50,000 1,717 697,586

Individuals per Breach 24,853 50,000 1,717 697,586


Types of Breaches

Type of Breach NC SC TN VA

Hacking/IT Incident 1 2

Improper Disposal 1 2

Loss 1 1

Loss/Theft 1

Other 1

Theft 3 1 6 4

Theft/Unauthorized Access/Disclosure 3

Unauthorized Access/Disclosure 4 1 4


Types of Breaches

Type of Breach Governmental

Hacking/IT Incident 1

Improper Disposal 1

Loss 1

Loss/Theft

Other 1

Theft

Theft/Unauthorized Access/Disclosure

Unauthorized Access/Disclosure 1


HIPAA Enforcement

HIPAA Violation Minimum Penalty Maximum Penalty

Did not know$100 per violation with an

annual maximum of $25,000

$50,000 per violation with an annual maximum of

$1.5 million

Reasonable Cause and not Willful Neglect


$100,000

$50,000 per violation withan annual maximum of

$1.5 million

Willful Neglect with Corrective Action


$250,000


$1.5 million

Willful Neglect and not Corrected


$250,000


$1.5 million


HIPAA Compliance

• Office of Civil Rights (“OCR”) is responsible for enforcement of HIPAA regulations• Federal Trade Commission (“FTC”) has begun

enforcement under Section 5 of the FTC Act• OCR and FTC have worked together in parallel

investigations of CVS Caremark and RiteAid• FTC acted alone in regards to Accretive Health and GMR

Transcriptions, with both entities entering into twenty year consent agreements.


HIPAA Compliance

• OCR has engaged FCi Federal to conduct the Phase 2 Audit Program• In Phase 1, OCR found that smaller entities had substantial

problems with compliance, especially the Security Rule• 1,200 covered entities will receive audit surveys between the

end of September 2015 and middle of October 2015• 300 of the 1,200 will be selected for an audit

• Entities will have 10 days to respond to the audit request


Focus of Audits

• Privacy Rule• Notice of Privacy Practices (2014)• Safeguards and Training to Policies and Procedures (2015)• Complaints (2016)

• Security Rule• Risk Analysis and Risk Management (2014)• Device/Media Controls and Transmission Security (2015) • Encryption and Decryption (2016)• Physical Facility Access Controls (2016)


Focus of Audits

• Breach Rule• Content and Timeliness of Notifications (2014)• Breach Reports (2016)


Preparing for an Audit

• Organization should have a current risk assessment


• Organization must identify where ePHI is stored, received, maintained and transmitted• Organization must identify and document reasonably

anticipated threats to ePHI• Organization must identify and document vulnerabilities

which, if triggered or exploited by a threat, would create a risk of inappropriate access or disclosure of ePHI• Organization must assess current security measures

Requirements of a Risk Assessment


• Organization must determine the likelihood of a threat occurrence• Organization must determine the potential impact of a threat

occurrence • Organization must determine the level of risk and document

the corrective actions to be performed to mitigate risk

Requirements of a Risk Assessment


Preparing for an Audit

• Organization should have a current risk assessment• HIPAA policies must be up to date and be reflective of changes

in regulations• Business Associate Agreement must be up to date and the

organization must be able to provide a list of business associates• Organization must maintain a HIPAA compliance file that

includes evidence of compliance including training, review of activity logs, breaches and resolution of breaches• Organization must have a training program in place for staff


Ira BedenbaughEmail: [email protected]: 864.552.4715Website: www.elliottdavis.com

Elliott Davis Decosimo ranks among the top 30 CPA firms in the U.S. With sixteen offices across seven states, the firm provides clients across a wide range of industries with smart, customized solutions. Elliott Davis Decosimo is an independent firm associated with Moore Stephens International Limited, one of the world's largest CPA firm associations with resources in every major market around the globe. For more information, please visit elliottdavis.com.


j. ira bedenbaugh - elliott davis · hipaa compliance • ocr has engaged fci federal to conduct...

Documents