HIPAA Summit. March 10, 2011. Phyllis A. Patrick, MBA, FACHE, CHC Phyllis A. Patrick & Associates LLC

Similar documents
Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information

2012 HIPAA Privacy and Security Audits

How To Understand And Understand The Benefits Of A Health Insurance Risk Assessment

HIPAA and HITECH Compliance for Cloud Applications

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015

Business Associates, HITECH & the Omnibus HIPAA Final Rule

Business Associate Management Methodology

The HITECH Act: Implications to HIPAA Covered Entities and Business Associates. Linn F. Freedman, Esq.

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1

Surviving a HIPAA violation One Agency s Experience Presented by: Roger Shindell. Topics Covered Part One. Topics Covered Part Two.

2/9/ HIPAA Privacy and Security Audit Readiness. Table of contents

BUSINESS ASSOCIATE AGREEMENT ( BAA )

COMPLIANCE ALERT 10-12

Dissecting New HIPAA Rules and What Compliance Means For You

Privacy and Security requirements, OCR HIPAA Audits and the New Audit Protocol

Business Associate Agreement (BAA) Guidance

HIPAA Hot Topics. Audits, the Latest on Enforcement and the Impact of Breaches. September Nashville Knoxville Memphis Washington, D.C.

Legislative & Regulatory Information

M E M O R A N D U M. Definitions

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

HIPAA COMPLIANCE PLAN FOR 2013

HIPAA Security Rule Compliance

Securing Patient Portals. What You Need to Know to Comply With HIPAA Omnibus and Meaningful Use

University Healthcare Physicians Compliance and Privacy Policy

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements

BUSINESS ASSOCIATE AGREEMENT

HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services

HIPAA Compliance, Notification & Enforcement After The HITECH Act. Presenter: Radha Chanderraj, Esq.

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

BUSINESS ASSOCIATE AGREEMENT BETWEEN AND COMMISSION ON ACCREDITATION, AMERICAN PSYCHOLOGICAL ASSOCIATION

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help

Business Associate Agreement

Sample Business Associate Agreement Provisions

Department of Health and Human Services. No. 17 January 25, Part II

HIPAA Privacy Rule Policies

Privacy and Security Meaningful Use Requirement HIPAA Readiness Review

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist.

SECURETexas Health Information Privacy & Security Certification Program FAQs

BUSINESS ASSOCIATE AGREEMENT

HIPAA Privacy and Security Changes in the American Recovery and Reinvestment Act

Preparing for the HIPAA Security Rule Again; now, with Teeth from the HITECH Act!

Vendor Management Challenges and Solutions for HIPAA Compliance. Jim Sandford Vice President, Coalfire

The HIPAA Audit Program

Overview of the HIPAA Security Rule

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

Data Breach, Electronic Health Records and Healthcare Reform

AHLA. B. HIPAA Compliance Audits. Marti Arvin Chief Compliance Officer UCLA Health System and David Geffen School of Medicine Los Angeles, CA

HIPAA Compliance: Are you prepared for the new regulatory changes?

6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

HIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality

Meaningful Use in a Nutshell

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

BUSINESS ASSOCIATE AGREEMENT

HIPAA and HITECH Compliance Under the New HIPAA Final Rule. HIPAA Final Omnibus Rule ( Final Rule )

HIPAA Business Associate Contract. Definitions

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry

HIPAA Privacy and Information Security Management Briefing

HIPAA in an Omnibus World. Presented by

HIPAA and Mental Health Privacy:

Bridging the HIPAA/HITECH Compliance Gap

Transcription:

HIPAA Summit March 10, 2011 Phyllis A. Patrick, MBA, FACHE, CHC Phyllis A. Patrick & Associates LLC

The Secretary shall provide for periodic audits to ensure that covered entities and business associates that are subject to the requirements of this subtitle and subparts C (HIPAA Security Rule) and E (HIPAA Privacy Rule) of part 164 of title 45, Code of Federal Regulations, as such provisions are in effect as of the date of enactment of this Act, comply with such requirements. ONCHIT must include, in the annual report on compliance, the number of compliance reviews conducted and the outcome of each review. (Section 13424 (a)(1)(d))

AUDITS COMPLAINTS COMPLIANCE REVIEWS BREACH REPORTS

Civil Monetary Penalties Violations categorized Tiered ranges of civil money penalty amounts

$100 - $50K/violation, not to exceed $25K - $1.5MM Person did not know (and by exercising reasonable due diligence) would not have known $1,000 - $50K/violation, not to exceed $100K - $1.5MM Violation due to reasonable cause and not to willful neglect $10K - $50K/violation, not to exceed $250K - $1.5MM Due to willful neglect and violation was corrected At least $50K/violation, not to exceed $1.5MM Due to willful neglect and violation was not corrected

Accounting of Disclosures Rule Reports to Congress on Compliance, Breach Notification National Outreach Campaign HIPAA Audit Program State Attorneys General Training Privacy Rule Minimum Necessary Guidance De-identification Guidance Final Rules on HITECH Breach Notification, Enforcement, and GINA Adam Green, Upcoming OCR Activities, HIPAA Summit West, October 2010

Purpose: To evaluate and compare compliance audit program configurations and recommend to OCR several feasible and effective program structure alternatives to implement HITECH Section 13411. Timeline: Nov. 2009 Mar. 2010 March Aug. 2010 Aug. 2010 RFP issued Contract awarded to BAH Research period BAH issued final report to OCR

Planning Selection of auditing entities, creation of documentation and analysis tools, staff identification and training, establishing level of effort, pre-audit planning Testing Performing tests and evaluating results Drafting communications Reporting Communicating results of audits

Maintenance Corrective Action Transition from Audit to Enforcement Conducting Appeals Encouraging compliance Adam Green, Preparing for the Anticipated OCR Privacy and Security Audits, HIPAA Summit West, October 2010

What is the Universe of Covered Entities and Business Associates? Some new players: HITECH aligns patient safety and HIPAA Rules Patient Safety Organizations (PSOs) are treated as business associates when applying the Privacy Rule (42 U.S.C. 299b-22(i)(1) Health Information Exchange Organizations (HIEs)and Regional Health Information Organizations RHIOs) E-prescribing Gateways Vendors of Personal Health Records Sub-contractors (one who acts on behalf of a BA)

How will auditees be selected? What will be the Scope of the audit? What types of audit tools will be used? Who will conduct the audits? What will be the frequency of audits? How will resources be allocated? How much advance notice?

What type of documentation will be required to address and support audit findings? What will the Audit Report look like? How will recommendations be prepared and what will they look like? How may findings be disputed? Will reports be made public? How to ensure that corrective action is taken? When will enforcement be appropriate?

OCR continuing work on strategic plan for determining audit models and deploying the audit function All options still be on the table Approach needs to be cost-effective and efficiently deployed (limited resources) Audit process will augment existing processes (investigations, compliance reviews, etc.) Will audits start in 2011?

CEs may be asked to certify on a periodic basis that they are in compliance with various requirements. One possibility is that such certification may also be used to select auditees. OCR may partner with other accrediting and/or licensing organizations.

OCR may decide to look at sentinel events (e.g., major breach, complaint, etc.) to determine priorities for audits. Audit process might be linked to Meaningful Use process, e.g., the Attestation requirement. OCR s consistent theme is that audits should be educational, not punitive and that auditing will complement existing processes Compliance is the right thing to do.

Prepare for coming HITECH Act mandatory and periodic audits of PRIVACY and SECURITY. Audit preparation can be a tool for assessing the organization s compliance with the Privacy and Security Rules, including new HITECH requirements. Achieving a return on investment in EHR, infrastructure, etc. and qualifying for MU incentives requires creating and enhancing a robust privacy and security program.

Are you in compliance with the HIPAA Security Rule Evaluation Standard? Perform a periodic technical and non technical evaluation, based initially upon the standards and implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity s security policies and procedures meet the requirements of this subpart. [Section 164.308(a)(8)]

Can you demonstrate that your policies, procedures, and practices enable a patient s individual rights (e.g., a patient s right to access his/her medical records) and can you confirm that these rights are upheld by your organization?

Do you meet the HIPAA Security Rule Standards for Risk Analysis and Risk Management? Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. [Section 164.308(a)(1)(ii)(A)] Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with Section 164.308(a). [Section 164.308(a)(1)(ii)(B)]

Have you completed the required Risk Analysis that is required for Meaningful Use AND has always been required by the HIPAA Security Rule (April 2005)? When did you start doing risk analyses? Do your risk analyses go beyond the technical requirements of the Security Rule?

How often do you perform risk analyses? How do you document your risk analyses? Are your analyses for security and privacy integrated with your organization s enterprise-wide risk analysis process?

Have you implemented appropriate administrative, technical and physical safeguards to comply with the HIPAA Security Rule? For example: Encryption Training Documentation of Policies and Policy Process Auditing Program Designation of Privacy and Security Officers Etc.

Do you have an ongoing program of Auditing and Monitoring for the Privacy and Security Programs? Plan Objectives Responsibility for audits and monitoring processes Frequency and Types of Audits Corrective Action Plans Documentation of audits, results, remediation Documentation of program changes due to audit reports and findings Reporting of Findings to Board Committee, Senior Leaders, and Managers

Update and enhance Training Programs. Training Continuous Training Encrypt Mobile Devices. Update and communicate policies. Document this process.

Review documentation processes and make sure corrective actions are completed and documented. Continue enhancing the Risk Analysis and Risk Management Processes. Incorporate good privacy and security practices into day-to-day operations and embed in organizational culture.

Phyllis A. Patrick, MBA, FACHE, CHC Phyllis@phyllispatrick.com 914-696-3622 www.phyllispatrick.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information