HIPAA and Leadership. The Importance of Creating a More Compliance Focused Environment

Transcription

1 HIPAA and Leadership The Importance of Creating a More Compliance Focused Environment 1

2 AGENDA HIPAA Basics The Importance of Leadership in RIM and IG Creating a More Compliance Focused Culture Potential Challenges That You May Encounter HIPAA and You 2

3 HIPAA Basics What does HIPAA stand for? The speed limit HIPAA and social media 3 purposes of HIPAA 1. To combat waste and fraud in health insurance 2. Improve portability/continuity of health insurance 3. Simplify administrative side of health insurance 3

4 Basics DHHS OCR NPRM CE and BA and their responsibilities BAA s Audits for 2015 Risk assessments HIPAA impacts more than just medical records 4

5 What is PHI? all geographic identifiers smaller than a state; dates directly related to an individual; phone numbers; fax numbers; social security numbers; medical record numbers; health insurance beneficiary numbers; account numbers; certificate/license numbers; vehicle identifiers and serial numbers, including license plate numbers; device identifier and serial numbers; web uniform resource locators (URL s); internet protocol (IP) numbers; biometric identifiers (finger prints, retinal prints and voice prints); full face photos and any other comparable images (such as tattoos); any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data. 5

6 Leadership Leadership is largely responsible for assuring compliance! Leadership involves more that a title or job description Leadership incorporates several departments Leadership is responsible for organizational compliance Leadership is a critical component to get buy in from, in regards to any compliance matter Leadership is responsible for liability that the organization is subjected to Leadership sets the tone for the corporate culture either positive or negative 6

7 Breach Definition unauthorized acquisition, access, use, or disclosure of Protected Health Information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information Any impermissible use or disclosure of PHI is presumed to be a breach unless the CE or BA, as applicable, demonstrates that there is a low probability that the PHI has been compromised 7

8 Breaches Identity theft is the driver for most breaches Does leadership want their organization to be the subject of Tweets, shares, likes? ID theft was a $28 Billion industry in 2013 Well over 700 million records have been breached since 2005 What are the thieves after? Billing and insurance records, medical files, payment details, prescriptions, social security numbers Medical ID theft has risen 400% in the past year 8

9 Creating a Compliance Culture What is compliance? Following the rules Creating a more transparent business operating and reporting climate to support market confidence In other words, your customers, as well as the companies that work with or for you, want to know that your organization knows what it s doing! Clearly defined policies, procedures, and practices Compliance Management, in contrast, is the means by which organizations can assure compliance in accordance with the rules, regulations, laws, and other requirements to which the organization is subject. Compliance Management involves oversight, assessment, reporting, educating, and noting needs for remediation, while the element of assurance comes from reliable evidence of compliance. Or, proof 9

10 Attribute of a Culture of Compliance A positive Culture of Compliance includes strategic vision and relates to larger strategic goals. It is established by top management It is characterized by senior management example It is embedded in activities such as education It is reinforced by incentive systems It is given force through the treatment of transgressors. It is not sufficient to simply publish policies and provide them to employees. Policies must be enforced! It is integral to information systems and their use and management It is inseparable from the organization s structure, processes, and management style 10

11 Positive Culture of Compliance A positive culture: encompasses enterprise risk management addresses the risks that arise in each strategic area establishes control points for the risk elements ensures controls are well documented for internal and external purposes identifies the specific people responsible for managing each compliance element Without a commitment to compliance, even the best policies and procedures will be useless. 11

12 3 C s of Compliance Compliance has, at its basis, 3 essential and continuous elements 1. Communication 2. Confirmation 3. Correction 12

13 What Are The Signs of a Culture of Compliance? If you have to go looking for signs of compliance, then it is probably isn t there. Communication: Evident in consistent messages to personnel. Individuals know what is expected of them and provide vertical as well as horizontal communications. Confirmation: Expect processes and activities to be measured and results reported. Each position has a defined set of competencies, and performance is measured and rewarded. Monitoring and feedback are characteristics of all automated systems and procedures. Correction: Because of clear and consistent communication and confirmation, it is immediately known when a process, activity, result, or condition is outside of its acceptable parameters. Even trends and anomalous patterns are detected and information about them is directed into the measurement, reporting and response cycle. Things don t stay broken in a culture of compliance because the responsible parties are identified and held accountable. 13

14 Don t Cut Corners Avoid just the appearance of compliance Don t just go for short term profit versus long time risks Signs of this: Things are too good to be true Problems do not rise to the surface. Only good news please mentality You cannot drill down to the details that support compliance reports. The results must be honest and complete. Good intentions aren t good enough anymore. 14

15 Suggestions Reward the problem identifiers Reward the problem solvers Make sure employees realize that management will not accept covering up problems Allow management, auditors, and regulatory examiners to look into the facts, details, and numbers that make up compliance reporting As the management team operates the organization s daily business, it needs the confidence it can only receive from a Culture of Compliance. The organization also needs the benefits that accrue from a well conceived and executed compliance management program featuring continuous improvement. The best solution involves coordinating the diverse compliance management activities through a single management entity equipped with a solid mandate and a compliance management system that is capable of combining similar activities for efficiency and the maintenance of a comprehensive database of compliance requirements. Only in such an environment can the governance bodies be assured of effective and sustainable compliance. 15

16 Challenges You May Face? Less than 100% buy in from Leadership Team (CEO, CFO, CISO, Privacy Officer, etc) That IT is a completely separate business segment that needs addressed! People not being 100% truthful-this lends itself to increased risk, increased liability, and fines and penalties Often times, this is strictly a pride issue. Ask yourself if it is worth the risk? Short cuts, dishonesty, or inaccurate assumptions and presumptions such as we have always done it this way, or we are good because nothing has happened yet Why do they always say yet? 16

17 Challenges Policies and procedures may conflict with reality Employees may or may not buy in If they fail to buy in, what will you do if your goal is to create this new culture? Coordinating the diverse compliance management activities through a single management entity equipped with a solid mandate and system that is capable of combining efficiency and maintaining a comprehensive database of requirements 17

18 HIPAA and It s Impact on Business HIPAA now governs HR records Law firms, CPA s, insurance companies, health plans, health care clearinghouses, health care providers, shredding companies, offsite record storage companies, scanning/imaging companies, software companies, IT companies, anyone that touches or has access to your information, is now responsible for any associated risk and liability including fines and penalties If you are a CE, do you have the required updated BAA s with your business associates? Who is a BA? 18

19 Business Associates Any person or entity that will perform a covered function under HIPAA for you or your organization (either for or on behalf of) Covered functions? Create, store, maintain, transmit or transport. offsite record storage companies, scanning/imaging, document destruction, x-ray collection, software hosts or that have remote access into your database, attorneys, etc. Can they each provide proof of a formal and documented HIPAA training program to you, that is current? 19

20 *Civil Penalties* The 4 Tiers of civil penalties: (All monetary and in a calendar year) Tier A Lowest level, single violation (an oops ) Fine: not less than $100 up to $50,000 each Tier B Reasonable cause: A reason that would motivate a person of ordinary intelligence under the circumstances Fine: not less than $1,000 up to $50,000 each Tier C Willful neglect but corrected: Conscious or intentional failure to perform a duty due to negligence. Fine: not less than $10,000 up to $50,000 each Tier D Multiple violations by willful neglect not corrected Fine: not less than $50,000 up to *$1.5 million Copyright 2015 by Tom Dumez All Rights Reserved All such violations of an identical provision in a calendar year is also $1.5 million 20

21 Criminal Penalties The 3 Tiers of criminal penalties: Tier A Wrongful disclosure: knowingly uses or causes PHI to be used Fine: Up to $50,000 fine and 1 year imprisonment Tier B Wrongful disclosure under false pretenses: a reporter who fails to identify themselves as a member of the press, obtains PHI & publishes it Fine: Up to $100,000 fine and 5 years imprisonment Copyright 2015 by Tom Dumez All Rights Reserved Tier C Wrongful disclosure under false pretenses with intent to sell, or use for commercial or personal gain or malicious harm Fine: Up to $250,000 fine and 10 years imprisonment 21

22 Mitigate Risks! Make sure that someone knows and understand just what is required, of various laws that pertain to your industry Make sure that PnP are good and sound Make sure that the practices match the PnP s Make sure that you regularly evaluate all impacted systems Make sure you have a DR Plan Make sure you get proof that not only your company, but each employee, knows nd understands the risks as well as the fines and penalties! Who Pays? 22

23 QUESTIONS? 23