4547 The Case For HIPAA Risk Assessment Leader s Guide
IMPORTANT INFORMATION FOR EDUCATION COORDINATORS & PROGRAM FACILITATORS PLEASE NOTE: In order for this program to meet Florida course requirements, this curriculum must be presented by a training provider approved by. A list of approved training providers can be found. ACCREDITATION INFORMATION TARGET AUDIENCE This continuing education activity has been developed for HIPAA Covered Entity personnel such as HIPAA privacy and security officers, privacy contacts, risk managers, counsel, information management and information technology personnel, compliance officers and leadership at all levels interested in pursuing and attaining HIPAA compliance. ACCREDITATION PERIOD CE CONTACT HOURS NEVCO designates this educational activity for up to hours of continuing education. OVERALL LEARNING OBJECTIVES Upon completion of this course, participants should be able to: Demonstrate how HIPAA risk assessments can decrease exposure to HIPAA fines, penalties and criminal sanctions Describe several compelling reasons for a HIPAA risk assessment Use a HIPAA risk assessment as a resource for conducting a mock OCR audit Recognize benefits to the Covered Entity beyond HIPAA compliance that HIPAA risk assessments represent Evaluate the Covered Entity s immediate need for HIPAA risk assessments Assess and evaluate readiness for a HIPAA risk assessment THE ROLE OF PROGRAM FACILITATOR This educational activity must be facilitated (conducted) by a training provider approved by who will assume responsibility for the activity requirements detailed in this guide. Failure to conduct this activity accordingly may affect eligibility for CE credit (Registered Nurses), Certificates of Completion (Others), and will not meet Florida state requirements for -hour _. ACTIVITY REQUIREMENTS HOW TO EARN CREDIT The supplemental material contained in this Activity Guide is intended to be used with the enclosed PowerPoint. All elements of the curriculum outline (see next page) must be completed in order to obtain full credit. See Facilitation Guide that follows for further details on how to conduct this activity. 2012 1
TRAINING CURRICULUM OUTLINE All elements must be satisfied in order to meet course requirements. TIME DIDACTIC METHOD CONTENT Learning Objectives and Review of Key Terms Pre-Test Powerpoint Discussion Post-Test 30 min. 15 min. 45 min. 30 min. 15 min. Facilitated Discussion Handout Distribution View Instructional Powerpoint Facilitated Discussion Handout Distribution Evolution of HIPAA, HITECH HIPAA and privacy and security rules since 1996. Examples of preventable HIPAA violations. Reasons for HIPAA risk assessments. Using HIPAA risk assessments as a resource for a mock OCR audit. Benefits beyond HIPAA compliance of HIPAA risk assessments. Sources of HIPAA exposure. Incentives to bring a HIPAA violation case. HIPAA administrative, civil and criminal penalties. Immediate steps toward HIPAA compliance. HIPAA risk assessment and OCR audit processes. Importance of training and ongoing reviews in HIPAA compliance. Total Time: Part 1 2:15 2012
_ HIPAA privacy and security Proliferation in the late 1990 s of internet and electronic transmission of healthcare information, together with highly-publicized abuses of medical records, motivated Congress in 1996 to include Administrative Simplification provisions HIPAA in legislation governing portability of health insurance between employers. Far-reaching HIPAA privacy and security rules defined the role and responsibility of HIPAA Covered Entities, implemented significant patient rights and expanded the reach of HIPAA to Business Associates entities using protected health information in work done for Covered Entities. HITECH HIPAA, part of the 2009 stimulus bill represented a seismic shift in HIPAA enforcement by substantially increasing HIPAA civil, criminal and administrative penalties and making them applicable to Business Associates. HIPAA laws HIPAA rules HITECH HIPAA Covered Entity Business Associate HIPAA privacy. HIPAA privacy governs use and disclosure of protected health information. Use is within an organization while disclosure is outside. HIPAA security. HIPAA security governs how health information is protected through administrative, technical and legal requirements called safeguards. HIPAA risk assessment. An accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the Covered Entity. HIPAA risk assessments are required by federal HIPAA rules at 45 CFR 164.308(a)(1). OCR HIPAA audit. HIPAA compliance audits of Covered Entities and Business Associates conducted by HHS Office of Civil Rights. Mock OCR audit. A simulated pre-audit of a Covered Entity s HIPAA compliance conducted by the Covered Entity in advance of an OCR HIPAA audit. HIPAA administrative, civil and criminal penalties. Expanded by HITECH HIPAA legislation to include Business Associates, HITECH HIPAA administrative, civil and criminal penalties can reach $1,500,000 per occurrence and prison for up to 10 years. 3
Program Description This program will discuss federally required HIPAA risk assessments, challenges that HIPAA compliance impose on Covered Entities and Business Associates and how a mock OCR audit can become an integral part of a HIPAA risk assessment. Covered Entities and Business Associates are encouraged to perform HIPAA risk assessments before undergoing an external review by OCR, the plaintiff s bar and others. Objectives At the conclusion of this program the participant will be able to: 1. Describe several reasons for HIPAA risk assessments. 2. Use a HIPAA risk assessment as a resource for conducting a mock OCR audit. 3. Recognize benefits beyond HIPAA rule compliance of HIPAA risk assessments. 4. Evaluate the Covered Entity s immediate need for HIPAA risk assessments. 5. Assess and evaluate readiness of the Covered Entity for a HIPAA risk assessment. 6. Identify common compliance failures leading to HIPAA fines and penalties. 7. Understand the importance of HIPAA training and ongoing monitoring of HIPAA compliance. 8. Understand that many HIPAA violations are preventable. 9. State 2 immediate actions that can reduce or eliminate exposure to HIPAA penalties. 10. Understand the Covered Entity s exposure to HIPAA administrative, civil and criminal penalties. 4
GLOSSARY OF KEY TERMS Business associate agreements CLIA Compliance gaps Corrective action plan EHR Electronic protected health information Encryption False claims HITECH HIPAA HIPAA HIPAA privacy policies, procedures and forms HIPAA privacy rules HIPAA risk assessment Agreements between Covered Entities and organizations Business Associates - that use PHI in work they perform for Covered Entities Federal laws and rules governing health care laboratories Insufficient compliance by a Covered Entity with federal requirements Formalized remediation plan often required by HHS in connection with HIPAA violations Electronic health records Protected health information created, maintained or transmitted electronically Process of making data unreadable or indecipherable consistent with federal standards State and federal legislation imposing damages and fines for submitting false healthcare claims Part of the 2009 stimulus package that expanded HIPAA to Business Associates and increased penalties for HIPAA violations Federal legislation governing transportability of health insurance among and between employers Suite of Covered Entity documents designed to comply with federal HIPAA privacy requirements Federal rules governing use and disclosure of protected health information Accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information 5
GLOSSARY OF KEY TERMS (continued) HIPAA security policies procedures and forms HIPAA security rules Meaningful Use Objectives Milestones Mock OCR audit NIST publications OCR audit protocol Penetration and vulnerability testing Protected health information Remediation Sanction policy Whistleblower Workforce Suite of Covered Entity documents designed to comply with federal HIPAA security requirements Federal rules governing protection of health information though administrative, legal and technical safeguards Federal initiative designed to encourage utilization of electronic health records Scheduled remediation activities Simulated OCR audit conducted by Covered Entity prior to actual OCR audit Instructive privacy and security manuals published by the US Department of Commerce Specific policies and procedures utilized by HHS in conducting OCR audits Electronic testing of a Covered Entity s defenses against unauthorized access Health information about a specific individual Steps to bring Covered Entity policies, procedures and forms into HIPAA compliance Formal policy of a Covered Entity to sanction Workforce members for violations Person permitted to bring an action against a Covered Entity with potential for sharing portion of recovery Personnel acting on behalf of a Covered Entity on a paid or volunteer basis 6
Pre Test Circle T if the statement is true, circle F if it is false. T F 1. A HIPAA risk assessment has benefits beyond HIPAA rule compliance. T F 2. A HIPAA risk assessment can be used as a resource for conducting an internal mock OCR audit. T F 3. HIPAA violations do not create exposure to administrative, civil or criminal penalties. T F 4. Training and ongoing reviews are not a part of HIPAA compliance. T F 5. HIPAA privacy rules govern use and disclosure of protected health information. T F 6. HIPAA security rules involve administrative, legal and technical safeguards. T F 7. A HIPAA risk assessment is an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information. T F 8. A whistleblower is a person permitted to bring an action against a Covered Entity with potential for sharing portion of recovery. T F 9. Under HIPAA, workforce includes personnel acting on behalf of a Covered Entity on a paid or volunteer basis. T F 10. HIPAA fines are capped at $10,000 per occurrence. T F 11. An OCR audit does not involve any on-site visits by auditors. T F 12. A HIPAA risk assessment satisfies at least 2 federal HIPAA rule requirements. T F 13. A Covered Entity s HIPAA suites of privacy and security policies, procedures and forms are the only types of documentation examined during an OCR audit. T F 14. HHS Office of Civil Rights does not give Covered Entities notice of OCR audits. 7
THE CASE FOR HIPPA RISK ASSESSMENTS Pre Test (continued) T F 15. State attorneys general have no authority to bring HIPAA actions against Covered Entities. T F 16. HHS often requires a Corrective Action Plan from Covered Entities for HIPAA violations. T F 17. HITECH HIPAA significantly expanded the reach of HIPAA requirements and increased HIPAA fines and penalties. T F 18. There are no immediate steps a Covered Entity can take to reduce or eliminate exposure to HIPAA violations. T F 19. Failure to completely implement policies and procedures often leads to HIPAA fines and sanctions. T F 20. HIPAA laws were enacted in 1996 in legislation governing portability of employees health insurance. 8
Post Test Circle the response that best answers each question. 1. HIPAA security involves safeguards that include: a. administrative b. legal c. technical 2. HIPAA privacy rules govern: a. use and disclosure of protected health information b. administrative safeguards c. legal safeguards d. technical safeguards 3. HIPAA violations create exposure to the following penalties: a. administrative b. civil c. criminal 4. HIPAA workforce includes the following personnel: a. paid and volunteer staff b. US Postal Service c. Federal Express d. b and c but not a 5. HIPAA fines per occurrence are capped at: a. $ 10,000 b. $ 20,000 c. $ 100,000 d. none of the above 6. A HIPAA risk assessment satisfies HIPAA rules requiring: a. risk assessment b. periodic reviews and updates c. administrative safeguards d. a and b but not c 9
Post Test (continued) 7. The following types of Covered Entity documentation can be expected to be reviewed during an OCR audit: a. Covered Entity s suites of HIPAA privacy and security policies, procedures and forms b. Covered Entity s paper and website Notice of Privacy Practices c. Covered Entity s sanction policy d. Covered Entity s document retention policy e. all of the above 8. Sources of HIPAA exposure include: a. present and former employees b. security breaches c. theft of medical records 9. Maximum prison term for a HIPAA violation is: a. 1 year b. 5 years c. 10 years d. none of the above 10. Benefits of a HIPAA risk assessment include: a. placing Covered Entity in best possible legal position to defend against HIPAA violations b. helps the Covered Entity qualify for network liability and privacy insurance c. reduce or avoid adverse publicity e. none of the above 11. A HIPAA risk assessment includes: a. on-site interviews with key leadership and management staff b. facility and data center review c. pre and post-assessment briefings of key leadership and management personnel e. none of the above 12. Review and possible update of HIPAA privacy and security policies and procedures should occur after which of the following: a. installing new computer equipment b. adding additional software c. hiring of additional staff e. none of the above 10
Post Test (continued) 13. An external review of a Covered Entity s suite of HIPAA privacy and security policies, procedures and forms can occur in the context of a: a. security breach b. whistleblower complaint c. OCR audit e. none of the above 14. Prominent OCR audit protocols include: a. risk assessment b. review and update HIPAA policies, procedures and forms periodically c. development and deployment of information system activity review process d. sanction policy e. all of the above f. none of the above 15. OCR audits can be expected to involve the following: a. no notice b. no request for documentation c. no interviews of key personnel e. none of the above 16. Reasons for OCR HIPAA audits include: a. assess Covered Entity compliance efforts b. examine mechanisms for compliance c. identify best practices e. none of the above 17. Recent Court cases hold that a Covered Entity is exposed to damages for: a. negligence and negligence per se b. breach of contract and implied contract c. breach of implied covenant of good faith and fair dealing e. none of the above 11
Post Test (continued) 18. A HIPAA risk assessment can: a. significantly reduce exposure to HIPAA fines and penalties b. guarantee that no whistleblower suits will be filed c. prevent state attorneys general from filing actions on behalf of residents d. eliminate the possibility of an OCR audit 19. HIPAA violations can lead to: a. administrative penalties b. civil penalties c. criminal penalties d. corrective action plans e. all of the above 20. OCR audit process includes the following: a. 30 to 90 days notice before a site visit b. site visit c. interviews with key personnel e. none of the above 12
Discussion Questions 1. Explain why many HIPAA violations are preventable. 2. Describe the benefits of a HIPAA risk assessment. 3. Describe how you might combine a HIPAA risk assessment with a mock OCR audit. 4. Describe the possible consequences of a HIPAA violation. 5. Discuss the OCR audit process. 6. Describe the importance of training and updating HIPAA policies, procedures and forms in terms of HIPAA compliance. 7. Discuss the level of internal effort required to attain and maintain HIPAA compliance. 8. Discuss the necessity for a HIPAA risk assessment and how a mock OCR audit might help prepare a Covered Entity for an external HIPAA review. 9. Discuss whether the Covered Entity should form a risk assessment/ocr audit response team. 10. Discuss what leadership personnel should be responsible for HIPAA compliance in the Covered Entity. 13
Answer Sheet Pre Test Post Test 1. T d 2. T a 3. F d 4. F a 5. T d 6. T d 7. T d 8. T d 9. T d 10. F d 11. F d 12. T d 13. F d 14. F e 15. F e 16. T d 17. T d 18. F a 19. T e 20. T d 14
Resource Advisor JAMES M. BARCLAY Received his bachelor of science degree from the University of Florida and his JD from Florida State University. He has worked with HIPAA privacy and security since their inception and has advised healthcare clients about HIPAA compliance. He has written and lectured about HIPAA issues extensively. NEVCO video educational programs are prepared using specific criteria designed by National Educational Video, Inc. All educational programs are coordinated and reviewed under the direction of the NEVCO Director of Education, who is a master s prepared nurse. 15
References HIPAA Administrative Simplification. U.S. Department of Health and Human Services, Office of Civil Rights OCR Audit Protocols. U.S. Department of Health and Human Services, Office of Civil Rights. Retrieved from website: http://hipaa/ocr/auditprotocols Guide for Conducting HIPAA Risk Assessments, Information Security. NIST special publication 800-30, U.S. Department of Commerce, National Institute of Standards and Technology, September 2012. OCR HIPAA Enforcement. U.S. Department of Health and Human Services, Office of Civil Rights. Retrieved from website: http://hipaa/ocr/enforcement 16
Participant Evaluation of Objectives Please evaluate this program by circling the number that best represents how well this program met the following objectives: 4=Excellent 3=Good 2=Average 1=Poor 1. Usefulness of HIPAA violation examples 4 3 2 1 2. Understand HIPAA administrative, civil and criminal penalties 4 3 2 1 3. Understand benefits of HIPAA risk assessment 4 3 2 1 4. Understanding processes of OCR audit and HIPAA risk assessment 5. Learning immediate steps to reduce or eliminate common HIPAA violations 4 3 2 1 4 3 2 1 6. Learning preventability of many HIPAA violations 4 3 2 1 7. Understand importance of training and ongoing reviews in HIPAA compliance 8. Understanding levels of Covered Entity effort involved with HIPAA compliance 9. Understanding how a HIPAA risk assessment can reduce or eliminate HIPAA violations 10. Understanding how a mock OCR audit and a HIPAA risk assessment dovetail 4 3 2 1 4 3 2 1 4 3 2 1 4 3 2 1 Do you feel you met your personal objectives? Time required to complete this program minutes COMMENTS: Please return this form to the facilitator who distributed the learning materials. Thank you!!! 17