valueoutcome July Preparing for Phase 2: The next generation of HIPAA audits Organizations will face enhanced privacy and security scrutiny

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "valueoutcome July Preparing for Phase 2: The next generation of HIPAA audits Organizations will face enhanced privacy and security scrutiny"

Transcription

1 valueoutcome July 2014 Preparing for Phase 2: The next generation of HIPAA audits Organizations will face enhanced privacy and security scrutiny Highlights 1. In preparation for Phase 2 audits, covered entities should pay extra attention to areas the OCR has indicated represent heightened risk. These include: Risk assessment Individuals right to access their PHI Authorizations Minimum necessary use and disclosure Notice of privacy practices Breach notification and incident response Access controls Encryption Logging 2. Pre-audit surveys of covered entities are expected in summer The OCR will send document requests to organizations selected for audits in fall Phase 2 audits are expected to run from October 2014 through June Business associate audits are scheduled to begin in The OCR s pre-audit survey will ask each covered entity to identify its business associates and supply their contact information. In preparation, organizations should collect and validate this information as soon as possible. In an attempt to verify compliance with HIPAA s Security Rule, Privacy Rule, and Breach Notification Rule (collectively, the HIPAA Rules ), the Office for Civil Rights (OCR) began in 2012 to pilot privacy and security audits of payers, providers, and healthcare clearinghouses (i.e., covered entities ). In March 2014, the OCR announced the implementation of a Phase 2 audit program to begin in fall 2014 based on the findings of the pilot audits. In Phase 2, the OCR will conduct audits of HIPAA-covered entities, with audits for business associates anticipated to begin in The Phase 2 audit program will have a different look and feel from the pilot program. Phase 2 audits will be conducted as desk audits (although the OCR has also reserved the right to conduct on-site audits as its resources allow). The new audits will be guided by findings from the pilot program that indicates areas of heightened risk or vulnerability to privacy or security breaches. In Phase 2 of its HIPAA compliance audit program, the OCR will distribute surveys to approximately organizations, from which 350 will be randomly selected for audit. 1 Information in this paper is sourced from The US Department of Health and Humans Services Office for Civil Rights Report, OCR Audits of HIPAA Privacy, Security, and Breach Notification, Phase 2, Linda Sanches, MPH, Senior Advisor, Health Information Privacy, March 31, nt2.pdf

2 Background Phase 2 audits incorporate new processes, standards The OCR s pilot program audited 115 entities, including 61 providers, 47 health plans, and seven clearinghouses. The OCR assessed compliance with 169 requirements corresponding to the provisions of the HIPAA Rules. The agency contracted a third-party auditor to conduct audits on site. Each audit ranged from hours, requiring three to four weeks of active audit work, depending on an organization s size and structure. Goals of the pilot audit included not only measuring compliance with regulatory requirements, but also developing a replicable audit program that is comprehensive, flexible, and applicable across the diverse range of covered entities and business associates. Audits will be guided by pilot findings The majority of providers audited in the pilot had at least one security finding or observation. Deficiencies in compliance with the HIPAA security provisions accounted for 60% of the audit findings and observations in the pilot program most notably the lack of complete and accurate risk assessment in two-thirds of the entities audited. 2 Entities that did well and had no security findings or observations generally met the standard by fully implementing the addressable specifications. From a privacy perspective, the most commonly cited findings included meeting the requirements for access to protected health information, notice of privacy practices, and the timing and content of breach notices. 2 Pilot audit results found no complete and accurate risk assessment in two-thirds of the entities audited, including 47 of 59 providers, 20 of 35 health plans, and two of seven clearinghouses. For every finding and observation cited in the audit report, the OCR identified a cause. The most common cause of noncompliance across all entities was lack of awareness about the requirement. Other noted causes included the lack of sufficient resources, incomplete implementation, and, in a few instances, according to the OCR, complete disregard for the requirement. Whereas the pilot audits used contracted staff to perform on-site assessments, the new audit program is expected to be conducted by OCR staff. The desk audit approach means organizations will have no opportunity to seek clarification or ask questions of the auditors. Similarly, the auditors will not be able to contact the covered entity for clarification or additional information. To help stratify the list of potential organizations for audit, the OCR plans to issue a pre-audit survey in summer The survey will help verify and collect data on covered entities data that is not currently available to the OCR. This data will help the OCR classify organizations during the audit selection process. The OCR will distribute the survey online to approximately organizations, from which 350 will be randomly selected for audit. The OCR has made it clear that the failure of an entity selected for a desk audit to submit a response may lead to a referral for a regional compliance review. The OCR will send notifications to the organizations selected for audits in fall Organizations are expected to have two weeks from the receipt of the notification letter to respond to the document request list. While the OCR did allow for policies and requested documentation to be edited or created up until the time of submission during the pilot audits (and presumably will do so in the Phase 2 audits as well), organizations that lack the requested documentation will have difficulty creating and implementing it within a couple of weeks. The OCR s audit program is expected to begin fall 2014, when the agency will conduct audits of covered entities. In 2015, the OCR is expected to begin auditing business associates. The OCR has been clear in its expectations of covered entities for the Phase 2 audit program. Organizations selected for an audit can expect the following: The OCR will assess only documentation submitted on time. All documentation must be current as of the date of the request. There is no opportunity to seek clarification or ask questions of the auditors. Auditors are not able to contact the organization for clarification or additional information. Submitting extraneous information may make it difficult for auditors to locate and assess required items, which may have an adverse effect on an organization s audit results. The OCR will review all items submitted whether requested or not. Any issue the OCR finds with the extraneous documentation will be duly noted and acted upon. Preparing for Phase 2: The next generation of HIPAA audits 2

3 Analysis Setting the stage for a successful audit For a well-prepared and governanceoriented organization, the OCR s desk audit approach will likely be less burdensome than the pilot. On the other hand, the new approach could be problematic for organizations that lack structure and comprehensive documentation regarding their privacy and security policies and processes. Regardless, covered entities and business associates should use this lead time to address gaps in their policies and procedures and consider how best to demonstrate their compliance with HIPAA requirements. To gauge its readiness for an audit, organizations should complete a HIPAA Security Rule risk assessment that is thorough, on point, and easy to understand. In the OCR s pilot audit program, two-thirds of the organizations audited had no complete and accurate risk assessment, making it likely that this will be an area subject to particular inspection in the Phase 2 audits. Organizations should consider implementing remediation activities and conducting an inventory of their systems that handle electronic personal health information. Sending a disorganized or disproportionate response will detract from the organization s story, frustrate the examiner, and could negatively impact audit findings. Generally speaking, an organization s documentation of its HIPAA program should be clear, comprehensive yet concise, current, and easy to follow for the reviewer. To prepare for an audit, organizations should assume the role of the auditor and evaluate their documentation from the auditor s perspective. How does the organization portray its compliance? An organization s established privacy and security policies and procedures will be its primary vehicle for telling its story. Accordingly, covered entities should conduct a thorough review and gap analysis of those policies and procedures. Organizations should ensure that their practices include changes from the Omnibus Rule and are not a wholesale reiteration of implementation specifications. Policies and procedures should demonstrate a thoughtful and effective HIPAA program and accurately reflect an organization s privacy and security practices. Organizations should also compile a list of business associates and their contact information and review the list for completeness and accuracy. (Business associates should likewise undertake this exercise for subcontractors.) Finally, organizations should be responsive to the OCR s documentation request; sending a disorganized or disproportionate response will detract from the organization s story, frustrate the examiner, and could negatively impact audit findings. Sending no response or ignoring the request could lead to a compliance review or other subsequent enforcement attention. Preparing for Phase 2: The next generation of HIPAA audits 3

4 Q&A Organizations can start planning now Q. What are the differences between the pilot audit and the Phase 2 audit program? A. The differences are significant. Most noticeably, the OCR will conduct desk audits rather than on-site audits, meaning that covered entities (and, in 2015, business associates) should ensure that their documentation in response to data requests is clear, upto-date, and concisely addresses the organization s adherence to regulatory requirements under HIPAA. Desk audits also mean that covered entities and business associates will not have the opportunity to clarify the intent of their policies and procedures through interviews with the auditors. Phase 2 audits are also expected to focus on the areas that were the source of a high number of compliance failures during the pilot program, such as the lack of a complete and accurate risk assessment, inappropriate access to protected health information, problems with authorizations for the disclosure of protected health information, unclear notice of privacy practices, and poor timing and content of breach notification. In an effort to increase the number of covered entities and business associates to be audited in Phase 2, the OCR is expected to narrow the scope of the criteria it used in the pilot program. Auditors will assess covered entities and business associates compliance with the HIPAA regulatory requirements using an updated audit protocol that, among other things, addresses the changes implemented by the final Omnibus Rule. Business associates which were not part of the pilot audit will be included in the Phase 2 program beginning in Q. How will the OCR select organizations to audit? A. The OCR will select a pool of covered entities eligible for audit using resources developed through an independent third party. Healthcare providers will be selected through the non-public information (NPI) database. Clearinghouses and health plans will be chosen from external databases (e.g., America s Health Insurance Plans (AHIP)). Random selection will be used when possible for all types of organizations, including group health plans, physicians and group practices, behavioral health organizations, dental offices, hospitals, and laboratories. In summer 2014, the OCR will conduct a pre-audit survey of up to 800 covered entities to help categorize them. Questions in the survey will address size, location, services provided, and best contact information. In addition, the survey is expected to query the covered entities on their business associates, including names, addresses, and contact information. The OCR will use the results of the survey to select a projected 350 covered entities to audit. Survey results will also be used to select business associates for audits in Q. What can my organization do to prepare? A. There are several steps organizations should take in preparation for a possible audit: Conduct a mock audit. Perform a detailed risk assessment that is conducted at least annually. Ensure that addressable security specifications are either fully implemented or adequately documented with mitigation controls. Ensure policies are current for regulatory requirements and drafted in accordance with operations. Policies should be easily accessible by employees. Identify business associates and ensure contact information is verified and valid. Educate and train employees about their role in HIPAA privacy and security compliance. Encourage employees to report known or suspected risks and/or suspected data breaches, and investigate each report to conclusion. Each activity should be clearly documented along with any remediation or corrective action plans and next steps. Covered entities and business associates will not have the opportunity to clarify the intent of their policies and procedures through interviews with the auditors. Preparing for Phase 2: The next generation of HIPAA audits 4

5 Contact information To have a deeper discussion about our point of view on the OCR's HIPAA Privacy, Security, and Breach Notification audit program, please contact: Joseph Greene (612) T.R. Kane (440) Peter Harries (602) David C. Sites Managing Director (410) Laurie Smaldon Director (203) Brent Hoard Manager (941) For more information: HIPAA Audit Webpage PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the United States member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.

Agenda. OCR Audits of HIPAA Privacy, Security and Breach Notification, Phase 2. Linda Sanches, MPH Senior Advisor, Health Information Privacy 4/1/2014

Agenda. OCR Audits of HIPAA Privacy, Security and Breach Notification, Phase 2. Linda Sanches, MPH Senior Advisor, Health Information Privacy 4/1/2014 OCR Audits of HIPAA Privacy, Security and Breach Notification, Phase 2 Linda Sanches, MPH Senior Advisor, Health Information Privacy HCCA Compliance Institute March 31, 2014 Agenda Background Audit Phase

More information

The HIPAA Audit Program

The HIPAA Audit Program The HIPAA Audit Program Anna C. Watterson Davis Wright Tremaine LLP The U.S. Department of Health and Human Services (HHS) was given authority, and a mandate, to conduct periodic audits of HIPAA 1 compliance

More information

AHLA. B. HIPAA Compliance Audits. Marti Arvin Chief Compliance Officer UCLA Health System and David Geffen School of Medicine Los Angeles, CA

AHLA. B. HIPAA Compliance Audits. Marti Arvin Chief Compliance Officer UCLA Health System and David Geffen School of Medicine Los Angeles, CA AHLA B. HIPAA Compliance Audits Marti Arvin Chief Compliance Officer UCLA Health System and David Geffen School of Medicine Los Angeles, CA Anna C. Watterson Davis Wright Tremaine LLP Washington, DC Fraud

More information

2016 OCR AUDIT E-BOOK

2016 OCR AUDIT E-BOOK !! 2016 OCR AUDIT E-BOOK About BlueOrange Compliance: We specialize in healthcare information privacy and security solutions. We understand that each organization is busy running its business and that

More information

OCR HIPAA AUDITS THEY RE BACK!

OCR HIPAA AUDITS THEY RE BACK! OCR HIPAA AUDITS THEY RE BACK! Chris Apgar, CISSP 2016 OVERVIEW OCR Audit Program Overview What to Expect if OCR s Auditors Show Up Potential Penalties and Other OCR Actions How to Prepare for an Audit

More information

State of Compliance 2014 Healthcare provider industry brief

State of Compliance 2014 Healthcare provider industry brief Delve into the full analysis of the 2014 State of Compliance Survey at: pwc.com/us/ stateofcompliance State of Compliance 2014 Healthcare provider industry brief Introduction The healthcare provider industry

More information

Preparing for the Phase II HIPAA Audits

Preparing for the Phase II HIPAA Audits Preparing for the Phase II HIPAA Audits The Phase II HIPAA Audits are expected to start soon. This document is a primer on where we have been, where we are going, and what you can do now to prepare for

More information

Business Associate Management Methodology

Business Associate Management Methodology Methodology auxilioinc.com 844.874.0684 Table of Contents Methodology Overview 3 Use Case 1: Upstream of s I manage business associates 4 System 5 Use Case 2: Eco System of s I manage business associates

More information

Interpreting the HIPAA Audit Protocol for Health Lawyers

Interpreting the HIPAA Audit Protocol for Health Lawyers Interpreting the HIPAA Audit Protocol for Health Lawyers This webinar is brought to you by the Health Information and Technology Practice Group (HIT), and is co-sponsored by the Business Law and Governance

More information

Cybersecurity in the Health Care Sector: HIPAA Responsibilities from a Legal and Compliance Perspective

Cybersecurity in the Health Care Sector: HIPAA Responsibilities from a Legal and Compliance Perspective Cybersecurity in the Health Care Sector: HIPAA Responsibilities from a Legal and Compliance Perspective July 23, 2013 Gerry Hinkley, Pillsbury Allen Briskin, Pillsbury Pillsbury Winthrop Shaw Pittman LLP

More information

Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Audit. Iliana L. Peters, J.D., LL.M. April 23, 2014

Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Audit. Iliana L. Peters, J.D., LL.M. April 23, 2014 Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Audit Iliana L. Peters, J.D., LL.M. April 23, 2014 OCR RULEMAKING UPDATE What s Done? What s to Come? What s Done: Interim Final Rules

More information

HIPAA Audits Are Here!

HIPAA Audits Are Here! HIPAA Audits Are Here! How to prepare for and what to expect when OCR comes knocking May 12, 2016 James B. Wieland, Principal, Ober Kaler Emily H. Wein, Principal, Ober Kaler David Holtzman, VP of Compliance,

More information

Lessons Learned from OCR Privacy and Security Audits

Lessons Learned from OCR Privacy and Security Audits Lessons Learned from OCR Privacy and Security Audits Program Overview & Initial Analysis Linda Sanches, MPH Verne Rinker, JD MPH Presentation to IAPP Global Privacy Summit March 7, 2013 Program Mandate

More information

Preparing for and Responding to an OCR HIPAA Audit

Preparing for and Responding to an OCR HIPAA Audit Preparing for and Responding to Carole Klove Carole.Klove@ucsfmedctr.or g Gerry Hinkley gerry.hinkley@pillsburylaw.com SIXTH NATIONAL HIPAA SUMMIT WEST October 10-12, 2012 Overview Background What to expect

More information

HIPAA Privacy, Security and Breach Notification Audits

HIPAA Privacy, Security and Breach Notification Audits HIPAA Privacy, Security and Breach Notification Audits Program Overview & Initial Analysis Verne Rinker JD, MPH 2013 NIST / OCR Security Rule Conference May 21-22, 2013 Program Mandate HITECH Act, Section

More information

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013 Welcome to ChiroCare s Fourth Annual Fall Business Summit October 3, 2013 HIPAA Compliance Regulatory Overview & Implementation Tips for Providers Agenda Green packet Overview of general HIPAA terms and

More information

NEW PERSPECTIVES. Professional Fee Coding Audit: The Basics. Learn how to do these invaluable audits page 16

NEW PERSPECTIVES. Professional Fee Coding Audit: The Basics. Learn how to do these invaluable audits page 16 NEW PERSPECTIVES on Healthcare Risk Management, Control and Governance www.ahia.org Journal of the Association of Heathcare Internal Auditors Vol. 32, No. 3, Fall, 2013 Professional Fee Coding Audit: The

More information

A smarter way to protect your brand. Copyright 2012 Compliance 360 All Rights Reserved

A smarter way to protect your brand. Copyright 2012 Compliance 360 All Rights Reserved A smarter way to protect your brand Minimizing Compliance Risks of Proactive OCR HIPAA Audits Copyright 2012 Compliance 360 All Rights Reserved Compliance 360 at a Glance Compliance, Risk and Audit Solutions

More information

2012 HIPAA Privacy and Security Audits

2012 HIPAA Privacy and Security Audits Office of the Secretary Office for Civil Rights (OCR) 2012 HIPAA Privacy and Security Audits Linda Sanches OCR Senior Advisor, Health Information Privacy Lead, HIPAA Compliance Audits OCR 1 Agenda Background

More information

2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec. The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million

More information

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)

More information

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES CONTENTS Introduction 3 Brief Overview of HIPPA Final Omnibus Rule 3 Changes to the Definition of Business Associate

More information

Preparing for HIPAA and Meaningful Use Compliance Audits

Preparing for HIPAA and Meaningful Use Compliance Audits Preparing for HIPAA and Meaningful Use Compliance Audits Presented by: David Holtzman VP of Compliance, CynergisTek CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com

More information

HIT Audit Workshop. Jeffrey W. Short. jshort@hallrender.com

HIT Audit Workshop. Jeffrey W. Short. jshort@hallrender.com HIT Audit Workshop Jeffrey W. Short jshort@hallrender.com 1 Audits and Investigations to be Discussed Meaningful Use Audits HIPAA Audits Data Breach Investigations Software Vendor Audits FTC Investigations

More information

HIPAA compliance audit: Lessons learned apply to dental practices

HIPAA compliance audit: Lessons learned apply to dental practices HIPAA compliance audit: Lessons learned apply to dental practices Executive summary In 2013, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 Omnibus Rule put healthcare providers

More information

2/9/2012. 2012 HIPAA Privacy and Security Audit Readiness. Table of contents

2/9/2012. 2012 HIPAA Privacy and Security Audit Readiness. Table of contents 2012 HIPAA Privacy and Security Audit Readiness Mark M. Johnson National HIPAA Services Director Table of contents Page Background 2 Regulatory Background and HITECH Impacts 3 Office of Civil Rights (OCR)

More information

The Case For HIPAA Risk Assessment. Leader s Guide

The Case For HIPAA Risk Assessment. Leader s Guide 4547 The Case For HIPAA Risk Assessment Leader s Guide IMPORTANT INFORMATION FOR EDUCATION COORDINATORS & PROGRAM FACILITATORS PLEASE NOTE: In order for this program to meet Florida course requirements,

More information

Ready or Not: OCR s Second Round of HIPAA Audits Are Just Around the Corner

Ready or Not: OCR s Second Round of HIPAA Audits Are Just Around the Corner Ready or Not: OCR s Second Round of HIPAA Audits Are Just Around the Corner OPRA 2015 Fall Conference November 4, 2015 Presented By: Lisa Pierce Reisz Vorys, Sater, Seymour and Pease LLP 614.464.8353 lpreisz@vorys.com

More information

HIPAA Update. Presented by: Melissa M. Zambri. June 25, 2014

HIPAA Update. Presented by: Melissa M. Zambri. June 25, 2014 HIPAA Update Presented by: Melissa M. Zambri June 25, 2014 Timeline of New Rules 2/17/09 - Stimulus Package Enacted 8/24/09 - Interim Final Rule on Breach Notification 10/7/09 - Proposed Rule Regarding

More information

HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services

HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services How MSPs can profit from selling HIPAA security services Managed Service Providers (MSP) can use the Health Insurance Portability

More information

How to prepare your organization for an OCR HIPAA audit

How to prepare your organization for an OCR HIPAA audit How to prepare your organization for an OCR HIPAA audit Presented By: Mac McMillan, FHIMSS, CISM CEO, CynergisTek, Inc. Technical Assistance: 978-674-8121 or Amanda.Howell@iatric.com Audio Options: Telephone

More information

OCR Launches Phase 2 HIPAA Audits for Covered Entities and Business Associates: Are You Ready?

OCR Launches Phase 2 HIPAA Audits for Covered Entities and Business Associates: Are You Ready? Presenting a live 90-minute webinar with interactive Q&A OCR Launches Phase 2 HIPAA Audits for Covered Entities and Business Associates: Are You Ready? Developing, Ensuring and Documenting HIPAA and HITECH

More information

The HIPAA Omnibus Final Rule

The HIPAA Omnibus Final Rule WHITE PAPER The HIPAA Omnibus Final Rule Four risk exposure events that can uncover compliance issues leading to investigations, potential fines, and damage to your organization s reputation. By Virginia

More information

Upcoming OCR Audits for HIPAA Compliance: How Prepared and Confident are Medical Practices and Billing Companies?

Upcoming OCR Audits for HIPAA Compliance: How Prepared and Confident are Medical Practices and Billing Companies? Upcoming : How Prepared and Confident are Medical Practices and Billing Companies? - Presented by NueMD a complete medical billing and practice management software solution company has partnered with Porter

More information

Business Associates, HITECH & the Omnibus HIPAA Final Rule

Business Associates, HITECH & the Omnibus HIPAA Final Rule Business Associates, HITECH & the Omnibus HIPAA Final Rule HIPAA Omnibus Final Rule Changes Business Associates Marissa Gordon-Nguyen, JD, MPH Health Information Privacy Specialist Office for Civil Rights/HHS

More information

HIPAA: AN OVERVIEW September 2013

HIPAA: AN OVERVIEW September 2013 HIPAA: AN OVERVIEW September 2013 Introduction The Health Insurance Portability and Accountability Act of 1996, known as HIPAA, was enacted on August 21, 1996. The overall goal was to simplify and streamline

More information

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule Patricia D. King, Esq. Associate General Counsel Swedish Covenant Hospital Chicago, IL I. Business Associates under

More information

Our Commitment to Information Security

Our Commitment to Information Security Our Commitment to Information Security What is HIPPA? Health Insurance Portability and Accountability Act 1996 The HIPAA Privacy regulations require health care providers and organizations, as well as

More information

Tools to Prepare and Protect Your Practice for HIPAA and Meaningful Use Audits

Tools to Prepare and Protect Your Practice for HIPAA and Meaningful Use Audits Tools to Prepare and Protect Your Practice for HIPAA and Meaningful Use Audits Presented by: Don Waechter, Managing Partner Health Compliance Partners Ann Breitinger, Attorney Blalock Walters Legal Disclaimer

More information

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help The Health Information Portability and Accountability Act (HIPAA) Omnibus Rule which will begin to be enforced September 23, 2013,

More information

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations

More information

Ready for an OCR Audit? Will you pass or fail an OCR security audit? Tom Walsh, CISSP

Ready for an OCR Audit? Will you pass or fail an OCR security audit? Tom Walsh, CISSP Ready for an OCR Audit? Will you pass or fail an OCR security audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS What would you do? You receive a phone call from your CEO. They just received

More information

OCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute

OCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil

More information

OCR Reports on the Enforcement. Learning Objectives

OCR Reports on the Enforcement. Learning Objectives OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil

More information

New HIPAA regulations require action. Are you in compliance?

New HIPAA regulations require action. Are you in compliance? New HIPAA regulations require action. Are you in compliance? Mary Harrison, JD Tami Simon, JD May 22, 2013 Discussion topics Introduction Remembering the HIPAA Basics HIPAA Privacy Rules HIPAA Security

More information

Objectives 5/5/2015. Quality Health Associates (QHA) of ND

Objectives 5/5/2015. Quality Health Associates (QHA) of ND Privacy and Security: HIPAA/HITECH/Meaningful Use Looking Back, Forging Ahead Patti Kritzberger, RHIT, CHPS Quality Health Associates of North Dakota HIT/Quality Improvement Specialist Quality Health Associates

More information

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style. Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style March 27, 2013 www.mcguirewoods.com Introductions Holly Carnell McGuireWoods LLP

More information

Meaningful Use and Security Risk Analysis

Meaningful Use and Security Risk Analysis Meaningful Use and Security Risk Analysis Meeting the Measure Security in Transition Executive Summary Is your organization adopting Meaningful Use, either to gain incentive payouts or to avoid penalties?

More information

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record

More information

Are You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. What would you do? Session Objectives

Are You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. What would you do? Session Objectives Are You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS What would you do? Your organization received a certified letter sent from the Office for Civil Rights (OCR)

More information

OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement

OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement Clinton Mikel The Health Law Partners, P.C. Alessandra Swanson U.S. Department of Health and Human Services - Office for Civil Rights Disclosure

More information

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute April 8, 2015 4/8/2015 1 1 Who is M-CEITA?

More information

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection

More information

InfoGard Healthcare Services. 2015 InfoGard Laboratories Inc.

InfoGard Healthcare Services. 2015 InfoGard Laboratories Inc. InfoGard Healthcare Services 10 Steps To Protect My Covered Entity From Breach Your Presenters Alan Martin Account Manger Marvin Byrd Security Engineer Test and Certification Laboratory Healthcare Payment

More information

Arizona Physicians Group To Pay $100,000 To Settle HIPAA Charges

Arizona Physicians Group To Pay $100,000 To Settle HIPAA Charges Cynthia Marcotte Stamer Board Certified Labor and Employment Law Texas Board of Legal Specialization Primary Telephone: (214) 452-8297 24-Hour Telephone (469) 767.8872 Addison Telephone (972) 588.1860

More information

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Compliance Tip Sheet National Hospice and Palliative Care Organization www.nhpco.org/regulatory HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Hospice Provider Compliance To Do List

More information

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview Updated HIPAA Regulations What Optometrists Need to Know Now The U.S. Department of Health & Human Services Office for Civil Rights recently released updated regulations regarding the Health Insurance

More information

HIPAA and HITECH Compliance for Cloud Applications

HIPAA and HITECH Compliance for Cloud Applications What Is HIPAA? The healthcare industry is rapidly moving towards increasing use of electronic information systems - including public and private cloud services - to provide electronic protected health

More information

Sustainable Compliance: A System for Ongoing Audit Readiness

Sustainable Compliance: A System for Ongoing Audit Readiness View the Replay on YouTube Sustainable Compliance: A System for Ongoing Audit Readiness FairWarning Executive Webinar Series November 14, 2013 Agenda Sustainable Compliance at St. Charles Health System

More information

OCR HIPAA Audits. Disclaimer. Message. I am here for your benefit. If you have questions, please ask. 1. Background 2. The Audit 3.

OCR HIPAA Audits. Disclaimer. Message. I am here for your benefit. If you have questions, please ask. 1. Background 2. The Audit 3. OCR HIPAA Audits Roger Brett Short Chief Compliance Officer October 2012 Disclaimer The information provided in this presentation does not constitute legal advice and is intended to be used for guidance.

More information

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist. www.riskwatch.com

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist. www.riskwatch.com HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist www.riskwatch.com Introduction Last year, the federal government published its long awaited final regulations implementing the Health

More information

Understanding Your Health Record Information

Understanding Your Health Record Information Associated Retina Consultant s, Ltd. Notice of Information Practices THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE

More information

Lessons Learned from HIPAA Audits

Lessons Learned from HIPAA Audits Lessons Learned from HIPAA Audits October 29, 2012 Tony Brooks, CISA, CRISC Partner - IT Assurance and Risk Services HORNE LLP AGENDA HIPAA/HITECH Regulations Breaches and Fines OCR HIPAA/HITECH Compliance

More information

NOTICE OF PRIVACY PRACTICES TEMPLATE. Sections highlighted in yellow are optional sections, depending on if applicable

NOTICE OF PRIVACY PRACTICES TEMPLATE. Sections highlighted in yellow are optional sections, depending on if applicable NOTICE OF PRIVACY PRACTICES TEMPLATE Sections highlighted in yellow are optional sections, depending on if applicable Original Date: ##/##/#### Revised per HIPAA Omnibus Rule ##/##/#### Revised Date Implementation:

More information

Zip It! Feds, State Strengthen Privacy Protection. Practice Management Feature July 2012. Tex Med. 2012;108(7):33-37.

Zip It! Feds, State Strengthen Privacy Protection. Practice Management Feature July 2012. Tex Med. 2012;108(7):33-37. Zip It! Feds, State Strengthen Privacy Protection Practice Management Feature July 2012 Tex Med. 2012;108(7):33-37. By Crystal Conde Associate Editor When it comes to enforcing HIPAA data security and

More information

OCR HIPAA Audit Readiness. ISACA - North Texas Chapter April 11, 2013

OCR HIPAA Audit Readiness. ISACA - North Texas Chapter April 11, 2013 ISACA - North Texas Chapter April 11, 2013 Introduction 1 2 Basic components of HIPAA and HITECH legislation HITECH and rising breaches 3 4 OCR HIPAA audits Key findings of the pilot audits 5 Approaches

More information

Overview of the HIPAA Security Rule

Overview of the HIPAA Security Rule Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this

More information

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information about HIPAA, the HITECH-HIPAA Omnibus Privacy Act, how

More information

General HIPAA Implementation FAQ

General HIPAA Implementation FAQ General HIPAA Implementation FAQ What is HIPAA? Signed into law in August 1996, the Health Insurance Portability and Accountability Act ( HIPAA ) was created to provide better access to health insurance,

More information

HIPAA Audits: Preparing for Phase 2 Audits for Covered Entities and Business Associates

HIPAA Audits: Preparing for Phase 2 Audits for Covered Entities and Business Associates Presenting a live 90-minute webinar with interactive Q&A HIPAA Audits: Preparing for Phase 2 Audits for Covered Entities and Business Associates Developing, Ensuring and Documenting HIPAA and HITECH Privacy

More information

HIPAA. New Breach Notification Risk Assessment and Sanctions Policy. Incident Management Policy. Focus on: For breaches affecting 1 3 individuals

HIPAA. New Breach Notification Risk Assessment and Sanctions Policy. Incident Management Policy. Focus on: For breaches affecting 1 3 individuals HIPAA New Breach Notification Risk Assessment and Sanctions Policy Incident Management Policy For breaches affecting 1 3 individuals +25 individuals + 500 individuals Focus on: analysis documentation PHI

More information

Sustainable HIPAA Compliance: Protecting Patient Privacy through Highly Leveraged Investments

Sustainable HIPAA Compliance: Protecting Patient Privacy through Highly Leveraged Investments View the Replay on YouTube Sustainable HIPAA Compliance: Protecting Patient Privacy through Highly Leveraged Investments FairWarning Executive Webinar Series October 31, 2013 Today s Panel Chris Arnold

More information

Carl Abramson Gerry Blass Susan A Miller

Carl Abramson Gerry Blass Susan A Miller Introductions 0 Carl Abramson has over 35 years of experience in management consulting, IT management, HIPAA compliance, Critical Infrastructure Cyber Security and business process analysis. Carl is President

More information

A s a covered entity or business associate, you have

A s a covered entity or business associate, you have Health IT Law & Industry Report VOL. 7, NO. 19 MAY 11, 2015 Reproduced with permission from Health IT Law & Industry Report, 07 HITR, 5/11/15. Copyright 2015 by The Bureau of National Affairs, Inc. (800-372-1033)

More information

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES I. Overview / Definitions The Health Insurance Portability and Accountability Act is a federal law

More information

What do you need to know?

What do you need to know? What do you need to know? DISCLAIMER Please note that the information provided is to inform our clients and friends of recent HIPAA and HITECH act developments. It is not intended, nor should it be used,

More information

HIPAA Compliance: Efficient Tools to Follow the Rules

HIPAA Compliance: Efficient Tools to Follow the Rules Bank of America Merrill Lynch White Paper HIPAA Compliance: Efficient Tools to Follow the Rules Executive summary Contents The stakes have never been higher for compliance with the Health Insurance Portability

More information

Regulatory Update with a Touch of HIPAA

Regulatory Update with a Touch of HIPAA Regulatory Update with a Touch of HIPAA Cloud Communications Alliance Quarterly Meeting Miami, January 2015 Glenn S. Richards, Partner Pillsbury Winthrop Shaw Pittman LLP Phone: 202.663.8215 glenn.richards@pillsburylaw.com

More information

Texas Medical Records Privacy Act (a.k.a. Texas House Bill 300)

Texas Medical Records Privacy Act (a.k.a. Texas House Bill 300) Texas Medical Records Privacy Act (a.k.a. Texas House Bill 300) Ricky Link, Coalfire ISACA North Texas and IIA Fort Worth Chapters The Petroleum Club of Fort Worth March 4, 2014 1 About Coalfire Coalfire

More information

Privacy and Security requirements, OCR HIPAA Audits and the New Audit Protocol

Privacy and Security requirements, OCR HIPAA Audits and the New Audit Protocol Privacy and Security requirements, OCR HIPAA Audits and the New Audit Protocol 1 Learning Objectives Understand Privacy and Security Requirements Understand the new OCR audit protocol Learn how to prepare

More information

HIPAA Risk Assessments for Physician Practices

HIPAA Risk Assessments for Physician Practices HIPAA Risk Assessments for Physician Practices Eric Sandhusen Corporate Compliance Director and Privacy Officer Lloyd Torres Director of Ambulatory HIM DISCLAIMER The statements and opinions presented

More information

Health Informa.on Technology Audits: "Meaningful Use" and HIPAA. January 23, 2015 Eli Poliakoff Gary Capps

Health Informa.on Technology Audits: Meaningful Use and HIPAA. January 23, 2015 Eli Poliakoff Gary Capps Health Informa.on Technology Audits: "Meaningful Use" and HIPAA January 23, 2015 Eli Poliakoff Gary Capps 1 HITECH - Related Audits Health Informa.on Technology for Economic and Clinical Health Act ("HITECH")

More information

Vendor Management Challenges and Solutions for HIPAA Compliance. Jim Sandford Vice President, Coalfire

Vendor Management Challenges and Solutions for HIPAA Compliance. Jim Sandford Vice President, Coalfire Vendor Management Challenges and Solutions for HIPAA Compliance Jim Sandford Vice President, Coalfire Housekeeping You may submit questions throughout the webinar using the question area in the control

More information

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually

More information

Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014

Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014 Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework September 23, 2014 Executive Order: Improving Critical Infrastructure Cybersecurity It is the policy of the United States to

More information

FISCAL PLAN RESPONSE TO THE AUDITOR GENERAL

FISCAL PLAN RESPONSE TO THE AUDITOR GENERAL Government FISCAL PLAN RESPONSE TO THE AUDITOR GENERAL OCTOBER 2015 127 TABLE OF CONTENTS RESPONSE TO THE AUDITOR GENERAL October 2015.... 129 128 RESPONSE TO THE AUDITOR GENERAL FISCAL PLAN 2016 19 RESPONSE

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ( Agreement ) is by and between ( Covered Entity ) and Xelex Digital, LLC ( Business Associate ), and is effective as of. WHEREAS,

More information

HIPAA Compliance Review Analysis and Summary of Results

HIPAA Compliance Review Analysis and Summary of Results HIPAA Compliance Review Analysis and Summary of Results Centers for Medicare & Medicaid Services (CMS) Office of E-Health Standards and Services (OESS) Reviews 2008 Table of Contents Introduction 1 Risk

More information

Surviving a HIPAA violation One Agency s Experience Presented by: Roger Shindell. Topics Covered Part One. Topics Covered Part Two.

Surviving a HIPAA violation One Agency s Experience Presented by: Roger Shindell. Topics Covered Part One. Topics Covered Part Two. Surviving a HIPAA violation One Agency s Experience Presented by: Roger Shindell President & CEO Carosh Compliance Solutions & Liz Mayer, RHIA Director, Organizational Integrity HCI Care Services and VNS

More information

STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM

STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM BETWEEN The Division of Health Care Financing and Policy Herein after referred to as the Covered Entity and (Enter Business

More information

The Impact of HIPAA and HITECH

The Impact of HIPAA and HITECH The Health Insurance Portability & Accountability Act (HIPAA), enacted 8/21/96, was created to protect the use, storage and transmission of patients healthcare information. This protects all forms of patients

More information

The OCR Audit Protocol a first look

The OCR Audit Protocol a first look The OCR Audit Protocol a first look On June 26, 2012, the Office for Civil Rights published its Audit Protocols for HIPAA Security, HIPAA Breach and Privacy at http://ocrnotifications.hhs.gov/hipaa.html.

More information

HIPAA Changes 2013. Mike Jennings & Jonathan Krasner BEI For MCMS 07/23/13

HIPAA Changes 2013. Mike Jennings & Jonathan Krasner BEI For MCMS 07/23/13 HIPAA Changes 2013 Mike Jennings & Jonathan Krasner BEI For MCMS 07/23/13 BEI Who We Are DC Metro IT Service Provider since 1987 Network Design/Upgrade Installation/Managed IT Services for small to medium-sized

More information

HIPAA, Subpoenas and Audits, Oh My! An Overview. Jonathan M. Joseph

HIPAA, Subpoenas and Audits, Oh My! An Overview. Jonathan M. Joseph HIPAA, Subpoenas and Audits, Oh My! An Overview Jonathan M. Joseph This is provided as an informational service and does not constitute legal counsel or advice, which can only be rendered in the context

More information

Law Firm Cyber Security & Compliance Risks

Law Firm Cyber Security & Compliance Risks ALA WEBINAR Law Firm Cyber Security & Compliance Risks James Harrison CEO, INVISUS Breach Risks & Trends 27.5% increase in breaches in 2014 (ITRC) Over 500 million personal records lost or stolen in 2014

More information

Sunday March 30, 2014, 9am noon HCCA Conference, San Diego

Sunday March 30, 2014, 9am noon HCCA Conference, San Diego Meaningful Use as it Relates to HIPAA Compliance Sunday March 30, 2014, 9am noon HCCA Conference, San Diego CLAconnect.com Objectives and Agenda Understand the statutory and regulatory background and purpose

More information

HIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014

HIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014 HIPAA PRIVACY AND SECURITY AWARENESS Covering Kids and Families of Indiana April 10, 2014 GOALS AND OBJECTIVES The goal is to provide information to you to promote personal responsibility and behaviors

More information

Threat and Vulnerability Management (TVM) Protecting IT assets through a comprehensive program. Chicago IIA/ISACA

Threat and Vulnerability Management (TVM) Protecting IT assets through a comprehensive program. Chicago IIA/ISACA www.pwc.com Vulnerability Management (TVM) Protecting IT assets through a comprehensive program Chicago IIA/ISACA 2 nd Annual Hacking Conference Introductions Paul Hinds Managing Director Cybersecurity

More information

HIPAA Hot Topics. Audits, the Latest on Enforcement and the Impact of Breaches. September 2012. Nashville Knoxville Memphis Washington, D.C.

HIPAA Hot Topics. Audits, the Latest on Enforcement and the Impact of Breaches. September 2012. Nashville Knoxville Memphis Washington, D.C. HIPAA Hot Topics Audits, the Latest on Enforcement and the Impact of Breaches September 2012 Nashville Knoxville Memphis Washington, D.C. Overview HITECH Act HIPAA Audit Program: update and initial results

More information