valueoutcome July Preparing for Phase 2: The next generation of HIPAA audits Organizations will face enhanced privacy and security scrutiny
|
|
- Cory Parker
- 8 years ago
- Views:
Transcription
1 valueoutcome July 2014 Preparing for Phase 2: The next generation of HIPAA audits Organizations will face enhanced privacy and security scrutiny Highlights 1. In preparation for Phase 2 audits, covered entities should pay extra attention to areas the OCR has indicated represent heightened risk. These include: Risk assessment Individuals right to access their PHI Authorizations Minimum necessary use and disclosure Notice of privacy practices Breach notification and incident response Access controls Encryption Logging 2. Pre-audit surveys of covered entities are expected in summer The OCR will send document requests to organizations selected for audits in fall Phase 2 audits are expected to run from October 2014 through June Business associate audits are scheduled to begin in The OCR s pre-audit survey will ask each covered entity to identify its business associates and supply their contact information. In preparation, organizations should collect and validate this information as soon as possible. In an attempt to verify compliance with HIPAA s Security Rule, Privacy Rule, and Breach Notification Rule (collectively, the HIPAA Rules ), the Office for Civil Rights (OCR) began in 2012 to pilot privacy and security audits of payers, providers, and healthcare clearinghouses (i.e., covered entities ). In March 2014, the OCR announced the implementation of a Phase 2 audit program to begin in fall 2014 based on the findings of the pilot audits. In Phase 2, the OCR will conduct audits of HIPAA-covered entities, with audits for business associates anticipated to begin in The Phase 2 audit program will have a different look and feel from the pilot program. Phase 2 audits will be conducted as desk audits (although the OCR has also reserved the right to conduct on-site audits as its resources allow). The new audits will be guided by findings from the pilot program that indicates areas of heightened risk or vulnerability to privacy or security breaches. In Phase 2 of its HIPAA compliance audit program, the OCR will distribute surveys to approximately organizations, from which 350 will be randomly selected for audit. 1 Information in this paper is sourced from The US Department of Health and Humans Services Office for Civil Rights Report, OCR Audits of HIPAA Privacy, Security, and Breach Notification, Phase 2, Linda Sanches, MPH, Senior Advisor, Health Information Privacy, March 31, nt2.pdf
2 Background Phase 2 audits incorporate new processes, standards The OCR s pilot program audited 115 entities, including 61 providers, 47 health plans, and seven clearinghouses. The OCR assessed compliance with 169 requirements corresponding to the provisions of the HIPAA Rules. The agency contracted a third-party auditor to conduct audits on site. Each audit ranged from hours, requiring three to four weeks of active audit work, depending on an organization s size and structure. Goals of the pilot audit included not only measuring compliance with regulatory requirements, but also developing a replicable audit program that is comprehensive, flexible, and applicable across the diverse range of covered entities and business associates. Audits will be guided by pilot findings The majority of providers audited in the pilot had at least one security finding or observation. Deficiencies in compliance with the HIPAA security provisions accounted for 60% of the audit findings and observations in the pilot program most notably the lack of complete and accurate risk assessment in two-thirds of the entities audited. 2 Entities that did well and had no security findings or observations generally met the standard by fully implementing the addressable specifications. From a privacy perspective, the most commonly cited findings included meeting the requirements for access to protected health information, notice of privacy practices, and the timing and content of breach notices. 2 Pilot audit results found no complete and accurate risk assessment in two-thirds of the entities audited, including 47 of 59 providers, 20 of 35 health plans, and two of seven clearinghouses. For every finding and observation cited in the audit report, the OCR identified a cause. The most common cause of noncompliance across all entities was lack of awareness about the requirement. Other noted causes included the lack of sufficient resources, incomplete implementation, and, in a few instances, according to the OCR, complete disregard for the requirement. Whereas the pilot audits used contracted staff to perform on-site assessments, the new audit program is expected to be conducted by OCR staff. The desk audit approach means organizations will have no opportunity to seek clarification or ask questions of the auditors. Similarly, the auditors will not be able to contact the covered entity for clarification or additional information. To help stratify the list of potential organizations for audit, the OCR plans to issue a pre-audit survey in summer The survey will help verify and collect data on covered entities data that is not currently available to the OCR. This data will help the OCR classify organizations during the audit selection process. The OCR will distribute the survey online to approximately organizations, from which 350 will be randomly selected for audit. The OCR has made it clear that the failure of an entity selected for a desk audit to submit a response may lead to a referral for a regional compliance review. The OCR will send notifications to the organizations selected for audits in fall Organizations are expected to have two weeks from the receipt of the notification letter to respond to the document request list. While the OCR did allow for policies and requested documentation to be edited or created up until the time of submission during the pilot audits (and presumably will do so in the Phase 2 audits as well), organizations that lack the requested documentation will have difficulty creating and implementing it within a couple of weeks. The OCR s audit program is expected to begin fall 2014, when the agency will conduct audits of covered entities. In 2015, the OCR is expected to begin auditing business associates. The OCR has been clear in its expectations of covered entities for the Phase 2 audit program. Organizations selected for an audit can expect the following: The OCR will assess only documentation submitted on time. All documentation must be current as of the date of the request. There is no opportunity to seek clarification or ask questions of the auditors. Auditors are not able to contact the organization for clarification or additional information. Submitting extraneous information may make it difficult for auditors to locate and assess required items, which may have an adverse effect on an organization s audit results. The OCR will review all items submitted whether requested or not. Any issue the OCR finds with the extraneous documentation will be duly noted and acted upon. Preparing for Phase 2: The next generation of HIPAA audits 2
3 Analysis Setting the stage for a successful audit For a well-prepared and governanceoriented organization, the OCR s desk audit approach will likely be less burdensome than the pilot. On the other hand, the new approach could be problematic for organizations that lack structure and comprehensive documentation regarding their privacy and security policies and processes. Regardless, covered entities and business associates should use this lead time to address gaps in their policies and procedures and consider how best to demonstrate their compliance with HIPAA requirements. To gauge its readiness for an audit, organizations should complete a HIPAA Security Rule risk assessment that is thorough, on point, and easy to understand. In the OCR s pilot audit program, two-thirds of the organizations audited had no complete and accurate risk assessment, making it likely that this will be an area subject to particular inspection in the Phase 2 audits. Organizations should consider implementing remediation activities and conducting an inventory of their systems that handle electronic personal health information. Sending a disorganized or disproportionate response will detract from the organization s story, frustrate the examiner, and could negatively impact audit findings. Generally speaking, an organization s documentation of its HIPAA program should be clear, comprehensive yet concise, current, and easy to follow for the reviewer. To prepare for an audit, organizations should assume the role of the auditor and evaluate their documentation from the auditor s perspective. How does the organization portray its compliance? An organization s established privacy and security policies and procedures will be its primary vehicle for telling its story. Accordingly, covered entities should conduct a thorough review and gap analysis of those policies and procedures. Organizations should ensure that their practices include changes from the Omnibus Rule and are not a wholesale reiteration of implementation specifications. Policies and procedures should demonstrate a thoughtful and effective HIPAA program and accurately reflect an organization s privacy and security practices. Organizations should also compile a list of business associates and their contact information and review the list for completeness and accuracy. (Business associates should likewise undertake this exercise for subcontractors.) Finally, organizations should be responsive to the OCR s documentation request; sending a disorganized or disproportionate response will detract from the organization s story, frustrate the examiner, and could negatively impact audit findings. Sending no response or ignoring the request could lead to a compliance review or other subsequent enforcement attention. Preparing for Phase 2: The next generation of HIPAA audits 3
4 Q&A Organizations can start planning now Q. What are the differences between the pilot audit and the Phase 2 audit program? A. The differences are significant. Most noticeably, the OCR will conduct desk audits rather than on-site audits, meaning that covered entities (and, in 2015, business associates) should ensure that their documentation in response to data requests is clear, upto-date, and concisely addresses the organization s adherence to regulatory requirements under HIPAA. Desk audits also mean that covered entities and business associates will not have the opportunity to clarify the intent of their policies and procedures through interviews with the auditors. Phase 2 audits are also expected to focus on the areas that were the source of a high number of compliance failures during the pilot program, such as the lack of a complete and accurate risk assessment, inappropriate access to protected health information, problems with authorizations for the disclosure of protected health information, unclear notice of privacy practices, and poor timing and content of breach notification. In an effort to increase the number of covered entities and business associates to be audited in Phase 2, the OCR is expected to narrow the scope of the criteria it used in the pilot program. Auditors will assess covered entities and business associates compliance with the HIPAA regulatory requirements using an updated audit protocol that, among other things, addresses the changes implemented by the final Omnibus Rule. Business associates which were not part of the pilot audit will be included in the Phase 2 program beginning in Q. How will the OCR select organizations to audit? A. The OCR will select a pool of covered entities eligible for audit using resources developed through an independent third party. Healthcare providers will be selected through the non-public information (NPI) database. Clearinghouses and health plans will be chosen from external databases (e.g., America s Health Insurance Plans (AHIP)). Random selection will be used when possible for all types of organizations, including group health plans, physicians and group practices, behavioral health organizations, dental offices, hospitals, and laboratories. In summer 2014, the OCR will conduct a pre-audit survey of up to 800 covered entities to help categorize them. Questions in the survey will address size, location, services provided, and best contact information. In addition, the survey is expected to query the covered entities on their business associates, including names, addresses, and contact information. The OCR will use the results of the survey to select a projected 350 covered entities to audit. Survey results will also be used to select business associates for audits in Q. What can my organization do to prepare? A. There are several steps organizations should take in preparation for a possible audit: Conduct a mock audit. Perform a detailed risk assessment that is conducted at least annually. Ensure that addressable security specifications are either fully implemented or adequately documented with mitigation controls. Ensure policies are current for regulatory requirements and drafted in accordance with operations. Policies should be easily accessible by employees. Identify business associates and ensure contact information is verified and valid. Educate and train employees about their role in HIPAA privacy and security compliance. Encourage employees to report known or suspected risks and/or suspected data breaches, and investigate each report to conclusion. Each activity should be clearly documented along with any remediation or corrective action plans and next steps. Covered entities and business associates will not have the opportunity to clarify the intent of their policies and procedures through interviews with the auditors. Preparing for Phase 2: The next generation of HIPAA audits 4
5 Contact information To have a deeper discussion about our point of view on the OCR's HIPAA Privacy, Security, and Breach Notification audit program, please contact: Joseph Greene (612) joe.greene@us.pwc.com T.R. Kane (440) t.kane@us.pwc.com Peter Harries (602) peter.harries@us.pwc.com David C. Sites Managing Director (410) David.C.Sites@us.pwc.com Laurie Smaldon Director (203) laurie.a.smaldon@us.pwc.com Brent Hoard Manager (941) brent.t.hoard@us.pwc.com For more information: HIPAA Audit Webpage PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the United States member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.
Agenda. OCR Audits of HIPAA Privacy, Security and Breach Notification, Phase 2. Linda Sanches, MPH Senior Advisor, Health Information Privacy 4/1/2014
OCR Audits of HIPAA Privacy, Security and Breach Notification, Phase 2 Linda Sanches, MPH Senior Advisor, Health Information Privacy HCCA Compliance Institute March 31, 2014 Agenda Background Audit Phase
More informationThe HIPAA Audit Program
The HIPAA Audit Program Anna C. Watterson Davis Wright Tremaine LLP The U.S. Department of Health and Human Services (HHS) was given authority, and a mandate, to conduct periodic audits of HIPAA 1 compliance
More informationAHLA. B. HIPAA Compliance Audits. Marti Arvin Chief Compliance Officer UCLA Health System and David Geffen School of Medicine Los Angeles, CA
AHLA B. HIPAA Compliance Audits Marti Arvin Chief Compliance Officer UCLA Health System and David Geffen School of Medicine Los Angeles, CA Anna C. Watterson Davis Wright Tremaine LLP Washington, DC Fraud
More information2016 OCR AUDIT E-BOOK
!! 2016 OCR AUDIT E-BOOK About BlueOrange Compliance: We specialize in healthcare information privacy and security solutions. We understand that each organization is busy running its business and that
More informationOCR HIPAA AUDITS THEY RE BACK!
OCR HIPAA AUDITS THEY RE BACK! Chris Apgar, CISSP 2016 OVERVIEW OCR Audit Program Overview What to Expect if OCR s Auditors Show Up Potential Penalties and Other OCR Actions How to Prepare for an Audit
More informationState of Compliance 2014 Healthcare provider industry brief
Delve into the full analysis of the 2014 State of Compliance Survey at: pwc.com/us/ stateofcompliance State of Compliance 2014 Healthcare provider industry brief Introduction The healthcare provider industry
More informationPreparing for the Phase II HIPAA Audits
Preparing for the Phase II HIPAA Audits The Phase II HIPAA Audits are expected to start soon. This document is a primer on where we have been, where we are going, and what you can do now to prepare for
More informationBusiness Associate Management Methodology
Methodology auxilioinc.com 844.874.0684 Table of Contents Methodology Overview 3 Use Case 1: Upstream of s I manage business associates 4 System 5 Use Case 2: Eco System of s I manage business associates
More informationInterpreting the HIPAA Audit Protocol for Health Lawyers
Interpreting the HIPAA Audit Protocol for Health Lawyers This webinar is brought to you by the Health Information and Technology Practice Group (HIT), and is co-sponsored by the Business Law and Governance
More informationCybersecurity in the Health Care Sector: HIPAA Responsibilities from a Legal and Compliance Perspective
Cybersecurity in the Health Care Sector: HIPAA Responsibilities from a Legal and Compliance Perspective July 23, 2013 Gerry Hinkley, Pillsbury Allen Briskin, Pillsbury Pillsbury Winthrop Shaw Pittman LLP
More informationLessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Audit. Iliana L. Peters, J.D., LL.M. April 23, 2014
Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Audit Iliana L. Peters, J.D., LL.M. April 23, 2014 OCR RULEMAKING UPDATE What s Done? What s to Come? What s Done: Interim Final Rules
More informationHIPAA Audits Are Here!
HIPAA Audits Are Here! How to prepare for and what to expect when OCR comes knocking May 12, 2016 James B. Wieland, Principal, Ober Kaler Emily H. Wein, Principal, Ober Kaler David Holtzman, VP of Compliance,
More informationLessons Learned from OCR Privacy and Security Audits
Lessons Learned from OCR Privacy and Security Audits Program Overview & Initial Analysis Linda Sanches, MPH Verne Rinker, JD MPH Presentation to IAPP Global Privacy Summit March 7, 2013 Program Mandate
More informationPreparing for and Responding to an OCR HIPAA Audit
Preparing for and Responding to Carole Klove Carole.Klove@ucsfmedctr.or g Gerry Hinkley gerry.hinkley@pillsburylaw.com SIXTH NATIONAL HIPAA SUMMIT WEST October 10-12, 2012 Overview Background What to expect
More informationHIPAA Privacy, Security and Breach Notification Audits
HIPAA Privacy, Security and Breach Notification Audits Program Overview & Initial Analysis Verne Rinker JD, MPH 2013 NIST / OCR Security Rule Conference May 21-22, 2013 Program Mandate HITECH Act, Section
More informationWelcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013
Welcome to ChiroCare s Fourth Annual Fall Business Summit October 3, 2013 HIPAA Compliance Regulatory Overview & Implementation Tips for Providers Agenda Green packet Overview of general HIPAA terms and
More informationNEW PERSPECTIVES. Professional Fee Coding Audit: The Basics. Learn how to do these invaluable audits page 16
NEW PERSPECTIVES on Healthcare Risk Management, Control and Governance www.ahia.org Journal of the Association of Heathcare Internal Auditors Vol. 32, No. 3, Fall, 2013 Professional Fee Coding Audit: The
More informationA smarter way to protect your brand. Copyright 2012 Compliance 360 All Rights Reserved
A smarter way to protect your brand Minimizing Compliance Risks of Proactive OCR HIPAA Audits Copyright 2012 Compliance 360 All Rights Reserved Compliance 360 at a Glance Compliance, Risk and Audit Solutions
More information2012 HIPAA Privacy and Security Audits
Office of the Secretary Office for Civil Rights (OCR) 2012 HIPAA Privacy and Security Audits Linda Sanches OCR Senior Advisor, Health Information Privacy Lead, HIPAA Compliance Audits OCR 1 Agenda Background
More information2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.
The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million
More informationTrust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits
HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)
More informationWhite Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES
White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES CONTENTS Introduction 3 Brief Overview of HIPPA Final Omnibus Rule 3 Changes to the Definition of Business Associate
More informationPreparing for HIPAA and Meaningful Use Compliance Audits
Preparing for HIPAA and Meaningful Use Compliance Audits Presented by: David Holtzman VP of Compliance, CynergisTek CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com
More informationHIT Audit Workshop. Jeffrey W. Short. jshort@hallrender.com
HIT Audit Workshop Jeffrey W. Short jshort@hallrender.com 1 Audits and Investigations to be Discussed Meaningful Use Audits HIPAA Audits Data Breach Investigations Software Vendor Audits FTC Investigations
More informationHIPAA compliance audit: Lessons learned apply to dental practices
HIPAA compliance audit: Lessons learned apply to dental practices Executive summary In 2013, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 Omnibus Rule put healthcare providers
More information2/9/2012. 2012 HIPAA Privacy and Security Audit Readiness. Table of contents
2012 HIPAA Privacy and Security Audit Readiness Mark M. Johnson National HIPAA Services Director Table of contents Page Background 2 Regulatory Background and HITECH Impacts 3 Office of Civil Rights (OCR)
More informationHow To Understand And Understand The Benefits Of A Health Insurance Risk Assessment
4547 The Case For HIPAA Risk Assessment Leader s Guide IMPORTANT INFORMATION FOR EDUCATION COORDINATORS & PROGRAM FACILITATORS PLEASE NOTE: In order for this program to meet Florida course requirements,
More informationReady or Not: OCR s Second Round of HIPAA Audits Are Just Around the Corner
Ready or Not: OCR s Second Round of HIPAA Audits Are Just Around the Corner OPRA 2015 Fall Conference November 4, 2015 Presented By: Lisa Pierce Reisz Vorys, Sater, Seymour and Pease LLP 614.464.8353 lpreisz@vorys.com
More informationHIPAA Update. Presented by: Melissa M. Zambri. June 25, 2014
HIPAA Update Presented by: Melissa M. Zambri June 25, 2014 Timeline of New Rules 2/17/09 - Stimulus Package Enacted 8/24/09 - Interim Final Rule on Breach Notification 10/7/09 - Proposed Rule Regarding
More informationHIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services
HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services How MSPs can profit from selling HIPAA security services Managed Service Providers (MSP) can use the Health Insurance Portability
More informationHow to prepare your organization for an OCR HIPAA audit
How to prepare your organization for an OCR HIPAA audit Presented By: Mac McMillan, FHIMSS, CISM CEO, CynergisTek, Inc. Technical Assistance: 978-674-8121 or Amanda.Howell@iatric.com Audio Options: Telephone
More informationHIPAA Audits For Covered Entities and Business Associates
Presenting a live 90-minute webinar with interactive Q&A OCR Launches Phase 2 HIPAA Audits for Covered Entities and Business Associates: Are You Ready? Developing, Ensuring and Documenting HIPAA and HITECH
More informationThe HIPAA Omnibus Final Rule
WHITE PAPER The HIPAA Omnibus Final Rule Four risk exposure events that can uncover compliance issues leading to investigations, potential fines, and damage to your organization s reputation. By Virginia
More informationUpcoming OCR Audits for HIPAA Compliance: How Prepared and Confident are Medical Practices and Billing Companies?
Upcoming : How Prepared and Confident are Medical Practices and Billing Companies? - Presented by NueMD a complete medical billing and practice management software solution company has partnered with Porter
More informationBusiness Associates, HITECH & the Omnibus HIPAA Final Rule
Business Associates, HITECH & the Omnibus HIPAA Final Rule HIPAA Omnibus Final Rule Changes Business Associates Marissa Gordon-Nguyen, JD, MPH Health Information Privacy Specialist Office for Civil Rights/HHS
More informationHIPAA: AN OVERVIEW September 2013
HIPAA: AN OVERVIEW September 2013 Introduction The Health Insurance Portability and Accountability Act of 1996, known as HIPAA, was enacted on August 21, 1996. The overall goal was to simplify and streamline
More informationBusiness Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule
Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule Patricia D. King, Esq. Associate General Counsel Swedish Covenant Hospital Chicago, IL I. Business Associates under
More informationOur Commitment to Information Security
Our Commitment to Information Security What is HIPPA? Health Insurance Portability and Accountability Act 1996 The HIPAA Privacy regulations require health care providers and organizations, as well as
More informationTools to Prepare and Protect Your Practice for HIPAA and Meaningful Use Audits
Tools to Prepare and Protect Your Practice for HIPAA and Meaningful Use Audits Presented by: Don Waechter, Managing Partner Health Compliance Partners Ann Breitinger, Attorney Blalock Walters Legal Disclaimer
More informationHIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help
HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help The Health Information Portability and Accountability Act (HIPAA) Omnibus Rule which will begin to be enforced September 23, 2013,
More informationHITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?
HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations
More informationReady for an OCR Audit? Will you pass or fail an OCR security audit? Tom Walsh, CISSP
Ready for an OCR Audit? Will you pass or fail an OCR security audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS What would you do? You receive a phone call from your CEO. They just received
More informationOCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute
OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil
More informationOCR Reports on the Enforcement. Learning Objectives
OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil
More informationNew HIPAA regulations require action. Are you in compliance?
New HIPAA regulations require action. Are you in compliance? Mary Harrison, JD Tami Simon, JD May 22, 2013 Discussion topics Introduction Remembering the HIPAA Basics HIPAA Privacy Rules HIPAA Security
More informationObjectives 5/5/2015. Quality Health Associates (QHA) of ND
Privacy and Security: HIPAA/HITECH/Meaningful Use Looking Back, Forging Ahead Patti Kritzberger, RHIT, CHPS Quality Health Associates of North Dakota HIT/Quality Improvement Specialist Quality Health Associates
More informationAre You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.
Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style March 27, 2013 www.mcguirewoods.com Introductions Holly Carnell McGuireWoods LLP
More informationMeaningful Use and Security Risk Analysis
Meaningful Use and Security Risk Analysis Meeting the Measure Security in Transition Executive Summary Is your organization adopting Meaningful Use, either to gain incentive payouts or to avoid penalties?
More information12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule
HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record
More informationAre You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. What would you do? Session Objectives
Are You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS What would you do? Your organization received a certified letter sent from the Office for Civil Rights (OCR)
More informationOCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement
OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement Clinton Mikel The Health Law Partners, P.C. Alessandra Swanson U.S. Department of Health and Human Services - Office for Civil Rights Disclosure
More informationDecrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use
Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute April 8, 2015 4/8/2015 1 1 Who is M-CEITA?
More informationHealth Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know
Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection
More informationInfoGard Healthcare Services. 2015 InfoGard Laboratories Inc.
InfoGard Healthcare Services 10 Steps To Protect My Covered Entity From Breach Your Presenters Alan Martin Account Manger Marvin Byrd Security Engineer Test and Certification Laboratory Healthcare Payment
More informationArizona Physicians Group To Pay $100,000 To Settle HIPAA Charges
Cynthia Marcotte Stamer Board Certified Labor and Employment Law Texas Board of Legal Specialization Primary Telephone: (214) 452-8297 24-Hour Telephone (469) 767.8872 Addison Telephone (972) 588.1860
More informationHHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers
Compliance Tip Sheet National Hospice and Palliative Care Organization www.nhpco.org/regulatory HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Hospice Provider Compliance To Do List
More informationUpdated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview
Updated HIPAA Regulations What Optometrists Need to Know Now The U.S. Department of Health & Human Services Office for Civil Rights recently released updated regulations regarding the Health Insurance
More informationHIPAA and HITECH Compliance for Cloud Applications
What Is HIPAA? The healthcare industry is rapidly moving towards increasing use of electronic information systems - including public and private cloud services - to provide electronic protected health
More informationSustainable Compliance: A System for Ongoing Audit Readiness
View the Replay on YouTube Sustainable Compliance: A System for Ongoing Audit Readiness FairWarning Executive Webinar Series November 14, 2013 Agenda Sustainable Compliance at St. Charles Health System
More informationOCR HIPAA Audits. Disclaimer. Message. I am here for your benefit. If you have questions, please ask. 1. Background 2. The Audit 3.
OCR HIPAA Audits Roger Brett Short Chief Compliance Officer October 2012 Disclaimer The information provided in this presentation does not constitute legal advice and is intended to be used for guidance.
More informationHIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist. www.riskwatch.com
HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist www.riskwatch.com Introduction Last year, the federal government published its long awaited final regulations implementing the Health
More informationUnderstanding Your Health Record Information
Associated Retina Consultant s, Ltd. Notice of Information Practices THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE
More informationLessons Learned from HIPAA Audits
Lessons Learned from HIPAA Audits October 29, 2012 Tony Brooks, CISA, CRISC Partner - IT Assurance and Risk Services HORNE LLP AGENDA HIPAA/HITECH Regulations Breaches and Fines OCR HIPAA/HITECH Compliance
More informationNOTICE OF PRIVACY PRACTICES TEMPLATE. Sections highlighted in yellow are optional sections, depending on if applicable
NOTICE OF PRIVACY PRACTICES TEMPLATE Sections highlighted in yellow are optional sections, depending on if applicable Original Date: ##/##/#### Revised per HIPAA Omnibus Rule ##/##/#### Revised Date Implementation:
More informationZip It! Feds, State Strengthen Privacy Protection. Practice Management Feature July 2012. Tex Med. 2012;108(7):33-37.
Zip It! Feds, State Strengthen Privacy Protection Practice Management Feature July 2012 Tex Med. 2012;108(7):33-37. By Crystal Conde Associate Editor When it comes to enforcing HIPAA data security and
More informationOCR HIPAA Audit Readiness. ISACA - North Texas Chapter April 11, 2013
ISACA - North Texas Chapter April 11, 2013 Introduction 1 2 Basic components of HIPAA and HITECH legislation HITECH and rising breaches 3 4 OCR HIPAA audits Key findings of the pilot audits 5 Approaches
More informationOverview of the HIPAA Security Rule
Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this
More informationWelcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information
Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information about HIPAA, the HITECH-HIPAA Omnibus Privacy Act, how
More informationGeneral HIPAA Implementation FAQ
General HIPAA Implementation FAQ What is HIPAA? Signed into law in August 1996, the Health Insurance Portability and Accountability Act ( HIPAA ) was created to provide better access to health insurance,
More informationHIPAA Audits: Preparing for Phase 2 Audits for Covered Entities and Business Associates
Presenting a live 90-minute webinar with interactive Q&A HIPAA Audits: Preparing for Phase 2 Audits for Covered Entities and Business Associates Developing, Ensuring and Documenting HIPAA and HITECH Privacy
More informationHIPAA. New Breach Notification Risk Assessment and Sanctions Policy. Incident Management Policy. Focus on: For breaches affecting 1 3 individuals
HIPAA New Breach Notification Risk Assessment and Sanctions Policy Incident Management Policy For breaches affecting 1 3 individuals +25 individuals + 500 individuals Focus on: analysis documentation PHI
More informationSustainable HIPAA Compliance: Protecting Patient Privacy through Highly Leveraged Investments
View the Replay on YouTube Sustainable HIPAA Compliance: Protecting Patient Privacy through Highly Leveraged Investments FairWarning Executive Webinar Series October 31, 2013 Today s Panel Chris Arnold
More informationCarl Abramson Gerry Blass Susan A Miller
Introductions 0 Carl Abramson has over 35 years of experience in management consulting, IT management, HIPAA compliance, Critical Infrastructure Cyber Security and business process analysis. Carl is President
More informationA s a covered entity or business associate, you have
Health IT Law & Industry Report VOL. 7, NO. 19 MAY 11, 2015 Reproduced with permission from Health IT Law & Industry Report, 07 HITR, 5/11/15. Copyright 2015 by The Bureau of National Affairs, Inc. (800-372-1033)
More informationHEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES I. Overview / Definitions The Health Insurance Portability and Accountability Act is a federal law
More informationWhat do you need to know?
What do you need to know? DISCLAIMER Please note that the information provided is to inform our clients and friends of recent HIPAA and HITECH act developments. It is not intended, nor should it be used,
More informationHIPAA Compliance: Efficient Tools to Follow the Rules
Bank of America Merrill Lynch White Paper HIPAA Compliance: Efficient Tools to Follow the Rules Executive summary Contents The stakes have never been higher for compliance with the Health Insurance Portability
More informationRegulatory Update with a Touch of HIPAA
Regulatory Update with a Touch of HIPAA Cloud Communications Alliance Quarterly Meeting Miami, January 2015 Glenn S. Richards, Partner Pillsbury Winthrop Shaw Pittman LLP Phone: 202.663.8215 glenn.richards@pillsburylaw.com
More informationTexas Medical Records Privacy Act (a.k.a. Texas House Bill 300)
Texas Medical Records Privacy Act (a.k.a. Texas House Bill 300) Ricky Link, Coalfire ISACA North Texas and IIA Fort Worth Chapters The Petroleum Club of Fort Worth March 4, 2014 1 About Coalfire Coalfire
More informationPrivacy and Security requirements, OCR HIPAA Audits and the New Audit Protocol
Privacy and Security requirements, OCR HIPAA Audits and the New Audit Protocol 1 Learning Objectives Understand Privacy and Security Requirements Understand the new OCR audit protocol Learn how to prepare
More informationHIPAA Risk Assessments for Physician Practices
HIPAA Risk Assessments for Physician Practices Eric Sandhusen Corporate Compliance Director and Privacy Officer Lloyd Torres Director of Ambulatory HIM DISCLAIMER The statements and opinions presented
More informationHealth Informa.on Technology Audits: "Meaningful Use" and HIPAA. January 23, 2015 Eli Poliakoff Gary Capps
Health Informa.on Technology Audits: "Meaningful Use" and HIPAA January 23, 2015 Eli Poliakoff Gary Capps 1 HITECH - Related Audits Health Informa.on Technology for Economic and Clinical Health Act ("HITECH")
More informationVendor Management Challenges and Solutions for HIPAA Compliance. Jim Sandford Vice President, Coalfire
Vendor Management Challenges and Solutions for HIPAA Compliance Jim Sandford Vice President, Coalfire Housekeeping You may submit questions throughout the webinar using the question area in the control
More informationHeather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com
Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually
More informationExecutive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014
Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework September 23, 2014 Executive Order: Improving Critical Infrastructure Cybersecurity It is the policy of the United States to
More informationFISCAL PLAN RESPONSE TO THE AUDITOR GENERAL
Government FISCAL PLAN RESPONSE TO THE AUDITOR GENERAL OCTOBER 2015 127 TABLE OF CONTENTS RESPONSE TO THE AUDITOR GENERAL October 2015.... 129 128 RESPONSE TO THE AUDITOR GENERAL FISCAL PLAN 2016 19 RESPONSE
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT
HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ( Agreement ) is by and between ( Covered Entity ) and Xelex Digital, LLC ( Business Associate ), and is effective as of. WHEREAS,
More informationHIPAA Compliance Review Analysis and Summary of Results
HIPAA Compliance Review Analysis and Summary of Results Centers for Medicare & Medicaid Services (CMS) Office of E-Health Standards and Services (OESS) Reviews 2008 Table of Contents Introduction 1 Risk
More informationSurviving a HIPAA violation One Agency s Experience Presented by: Roger Shindell. Topics Covered Part One. Topics Covered Part Two.
Surviving a HIPAA violation One Agency s Experience Presented by: Roger Shindell President & CEO Carosh Compliance Solutions & Liz Mayer, RHIA Director, Organizational Integrity HCI Care Services and VNS
More informationSTATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM
STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM BETWEEN The Division of Health Care Financing and Policy Herein after referred to as the Covered Entity and (Enter Business
More informationThe Impact of HIPAA and HITECH
The Health Insurance Portability & Accountability Act (HIPAA), enacted 8/21/96, was created to protect the use, storage and transmission of patients healthcare information. This protects all forms of patients
More informationThe OCR Audit Protocol a first look
The OCR Audit Protocol a first look On June 26, 2012, the Office for Civil Rights published its Audit Protocols for HIPAA Security, HIPAA Breach and Privacy at http://ocrnotifications.hhs.gov/hipaa.html.
More informationHIPAA Changes 2013. Mike Jennings & Jonathan Krasner BEI For MCMS 07/23/13
HIPAA Changes 2013 Mike Jennings & Jonathan Krasner BEI For MCMS 07/23/13 BEI Who We Are DC Metro IT Service Provider since 1987 Network Design/Upgrade Installation/Managed IT Services for small to medium-sized
More informationHIPAA, Subpoenas and Audits, Oh My! An Overview. Jonathan M. Joseph
HIPAA, Subpoenas and Audits, Oh My! An Overview Jonathan M. Joseph This is provided as an informational service and does not constitute legal counsel or advice, which can only be rendered in the context
More informationLaw Firm Cyber Security & Compliance Risks
ALA WEBINAR Law Firm Cyber Security & Compliance Risks James Harrison CEO, INVISUS Breach Risks & Trends 27.5% increase in breaches in 2014 (ITRC) Over 500 million personal records lost or stolen in 2014
More informationSunday March 30, 2014, 9am noon HCCA Conference, San Diego
Meaningful Use as it Relates to HIPAA Compliance Sunday March 30, 2014, 9am noon HCCA Conference, San Diego CLAconnect.com Objectives and Agenda Understand the statutory and regulatory background and purpose
More informationHIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014
HIPAA PRIVACY AND SECURITY AWARENESS Covering Kids and Families of Indiana April 10, 2014 GOALS AND OBJECTIVES The goal is to provide information to you to promote personal responsibility and behaviors
More informationThreat and Vulnerability Management (TVM) Protecting IT assets through a comprehensive program. Chicago IIA/ISACA
www.pwc.com Vulnerability Management (TVM) Protecting IT assets through a comprehensive program Chicago IIA/ISACA 2 nd Annual Hacking Conference Introductions Paul Hinds Managing Director Cybersecurity
More informationHIPAA Hot Topics. Audits, the Latest on Enforcement and the Impact of Breaches. September 2012. Nashville Knoxville Memphis Washington, D.C.
HIPAA Hot Topics Audits, the Latest on Enforcement and the Impact of Breaches September 2012 Nashville Knoxville Memphis Washington, D.C. Overview HITECH Act HIPAA Audit Program: update and initial results
More information