Privacy Update: OCR HIPAA Phase 2 Audits: What to expect & How to prepare
|
|
- Primrose Clarissa Hudson
- 5 years ago
- Views:
Transcription
1 Privacy Update: OCR HIPAA Phase 2 Audits: What to expect & How to prepare Rita Bowen, MA, RHIA, CHPS, SSGB In her role of Vice President of Privacy, HIM Policy and Education, Bowen ensures new and existing client HIM policies and procedures are at code and drives the development, implementation and maintenance of MRO s privacy and training programs. She also serves as the company s Privacy and Compliance Officer (PCO). Bowen has more than 40 years of experience in Health Information Management (HIM), holding a variety of HIM director and consulting roles. Most recently, she was Senior Vice President and Privacy Officer for HealthPort, Inc., now known as CIOX Health, and served as the Enterprise Director of HIM and Privacy Officer at Erlanger Health System. Bowen is an active member of the American Health Information Management Association (AHIMA) and has served as its President and Board Chair, as a member of the Board of Directors, and on the Council on Certification. She has been honored with AHIMA s Triumph Award in the mentor category; she is also the recipient of the Distinguished Member Award from the Tennessee Health Information Management Association (THIMA). Bowen is an established author and speaker on HIM topics and has taught HIM studies at Chattanooga State and the University of Tennessee Memphis. Bowen holds a Bachelor of Medical Science degree with a focus in medical record administration and a Master s degree in Health Information/ Informatics Management Technology. 23-1
2 Agenda 1. Brief Introduction to the OCR and HIPAA Enforcement 2. Discuss the latest updates from the OCR related to Phase 2 of the HIPAA Audit Program 3. Share lessons learned from previous OCR audits and resolution agreements to help enhance your organization s overall compliance program 4. Provide best practices on how to prepare and respond to an OCR audit or an OCR investigation MRO Overview 2nd Largest ROI Provider 3,700 Locations 98% % #1 KLAS Client Retention Growth / Copyright MRO Corporation
3 HIPAA Enforcement Through HIPAA, the HHS/OCR is responsible for enforcing the Rules and it does so in several ways: Investigates complaints filed with it, Conducts compliance reviews of Covered Entities; Conducts Audits of Covered Entities and Business Associates Performs education and outreach to foster compliance with the HIPAA Privacy, Security, and Breach Notification Rules requirements, and Works in conjunction with the Department of Justice (DOJ) to refer possible criminal violations of HIPAA HIPAA Enforcement Complaint - 45 CFR (a)-(b) Can be filed with the Secretary of HHS by anyone who feels that a Covered Entity (CE) or Business Associate (BA) violated theirs or someone s else s health information privacy rights or committed another violation of the HIPAA Privacy, Security, or Breach Notification Rules Sources: 45 CFR ;
4 HIPAA Enforcement pre - Omnibus Rule post Omnibus Rule How to determine whether an impermissible use or disclosure of PHI constitutes a Breach The impermissible use or disclosure of PHI is a Breach if such use or disclosure poses a significant risk of financial, reputational, or other harm to the individual. The impermissible use or disclosure of PHI is presumed to be a Breach unless the CE or BA demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment 7 HIPAA Enforcement Breach Notification If an impermissible use Breach Timeline Requirements of disclosure of PHI is determined to be a Breach, CEs must provide notification of the Breach to affected individuals, the Secretary of HHS (The Secretary), state entities (under applicable state law) and, in certain Without unreasonable delay and in no case Must be provided no later than N/A circumstances, later than 60 days following to the discovery media 60 days after the end of the Breach Type To the Individual To the Secretary To the Media If Breach affects < 500 individuals of the Breach calendar year in which the Breach was discovered If Breach affects > 500 individuals Without unreasonable delay and in no case later than 60 days following the discovery of the Breaches Without unreasonable delay and in no case later than 60 days following the discovery of the Breaches Without unreasonable delay and in no case later than 60 days following the discovery of the Breaches 8 Sources: 45 CFR
5 HIPAA - WALL OF SHAME 9 Sources: 45 CFR ; Resolution of Complaints / Investigations If the evidence indicates that the CE was not in compliance, OCR will attempt to resolve the case by obtaining one or more of the following: Voluntary Compliance Corrective Action Resolution Agreement Civil Money Penalties (CMPs) Sources: 45 CFR American Institute of CPAs 23-5
6 OCR Enforcement Results over 128,937 complaints 75,705 were deemed ineligible for OCR investigation 24,126 led to OCR investigations which resulted in corrective actions 12,505 resulted in OCR intervention and the provision of technical assistance, no other action American Institute of CPAs 10,955 investigations found no violations ~866 led to OCR compliance reviews 33 resulted in the application of corrective measures that included payment of a resolution amount in lieu of civil money penalties Resolution Agreements / CMPs Date Entity Resolution Amount CMPs 4/21/2016 New York Presbyterian Hospital $2,200,000 4/20/2016 Raleigh Orthopaedic Clinic, P.A. $750,000 3/17/2016 Feinstein Institute for Medical Research $3,900,000 3/16/2016 North Memorial Health Care $1,550,000 2/16/2016 P.T., Pool & Land Physical Therapy, Inc. $25,000 2/3/2016 Lincare, Inc. $239,800 12/14/2015 The University of Washington Medicine $750,000 11/30/2015 Triple-S Management Corporation $3,500,000 11/24/2015 Lahey Hospital and Medical Center $850,000 8/31/2015 Cancer Care Group, P.C. $750,000 6/10/2015 St. Elizabeth s Medical Center $218,400 4/22/2015 Cornell Prescription Pharmacy $125,000 12/2/2014 Anchorage Community Mental Health Services $150,000 6/23/2014 Parkview Health System, Inc. $800,000 5/7/2014 New York and Presbyterian Hospital and Columbia University $4,800,000 4/22/2014 Concentra Health Services $1,725,220 4/22/2014 QCA Health Plan, Inc. $250,000 3/7/2014 Skagit County, Washington $215,000 Copyright MRO Corporation
7 Resolution Agreements / CMPs Date Entity Resolution Amount CMPs 8/14/2013 Affinity Health Plan, Inc. $1,215,780 7/11/2013 WellPoint $1,700,000 6/13/2013 Shasta Regional Medical Center $275,000 5/23/2013 Idaho State University $400,000 12/31/201 Hospice of Northern Idaho $50, /17/2012 Massachusetts Eye and Ear Infirmary and Massachusetts Eye and $1,500,000 Ear Associates, Inc. 6/26/2012 Alaska DHSS $1,700,000 4/13/2012 Phoenix Cardiac Surgery $100,000 3/13/2012 BCBST $1,500,000 7/6/2011 UCLA Health System $865,500 2/14/2011 General Hospital Corporation and Massachusetts General $1,000,000 Physicians Organization, Inc. 2/4/2011 Cignet Health of Prince George s County $4,300,000 12/3/2010 Management Services Organization Washington, Inc. $35,000 7/27/2010 Rite Aid Corporation $ Copyright MRO Corporation 2016 Top HIPAA Privacy and Security Rule Compliance Issues Identified by OCR 1. Impermissible uses and disclosures of PHI, 2. Lack of physical and technical safeguards of PHI, 3. Use or disclosure of more than the minimum necessary PHI 4. Lack of Patient Access; and 5. Lack of administrative safeguards of electronic PHI (ephi) Source:
8 Background on OCR HIPAA Audit Program HITECH Act requires that the OCR conduct periodic audits of CEs and BAs - Phase 1 of the HIPAA Audit Program focused to: 115 audits of Covered Entities Found that many of the participants lacked awareness of key Privacy and Security Rule requirements: - Notices of Privacy Practices - Patient Access - Risk Analyses on a regular basis - Secure disposal of media containing PHI Phase 2 of the OCR HIPAA Audit Program All CEs and BAs are eligible for an audit except for CEs or BAs who are involved in an ongoing OCR complaint investigation or compliance review New Audit Protocols released on April 4, 2016 NOTE: OCR has a 10 day turnaround time for all requested information!!! 23-8
9 Phase 2 of the OCR HIPAA Audit Program Launched on March 21, 2016 Contact verification s sent out around March 21, 2016 Audit Pre-Screening Questionnaires ed on or about April 4, Will be used to chose a diverse sampling of CEs and BAs that vary in size, type, corporate status, geography, and affiliations Plan is to conduct 200 audits of both CEs and BAs Phase 2 has 3 stages 1. Desk audits of CEs 2. Desk audits of BAs - Will most likely be technology-related BAs 3. On-site audits of both CEs and BAs Key Changes to Audit Program Main focus shifts from On-Site to Desk Audits, BUT o on-site full compliance audits are projected following desk audits o Complaints will still trigger full investigations in addition to entities where serious compliance issues are uncovered by desk audits o FCi Federal Inc. contracted for data security audits Audits previously outsourced now internal except security State privacy laws & rules will not be considered 23-9
10 Key Changes to Audit Program Program was delayed for creation of reporting portal & updating of audit protocols to include Omnibus changes Budget increased by $4 million in 2016 State privacy laws & rules will not be considered Phase 2 of the OCR HIPAA Audit Program First Stage will be conducted in May 2016 Chosen CEs will need to provide information about each of their BAs: - names, - type of services provided, - contact information for a first point of contact, - contact information for a second point of contact, and - website 23-10
11 Phase 2 of the OCR HIPAA Audit Program First Stage will be conducted in May 2016 Chosen CEs could be audited on: - Privacy Rule Compliance - Notice of Privacy Practices - Patient s Right to Access - Security Rule Compliance - Security Risk Analysis/Assessment - Risk Management Plan Phase 2 of the OCR HIPAA Audit Program First Stage will be conducted in May Breach Notification Rule Compliance - Breach Notification Policy - Breach Notifications to Patients - Instances where Breach Risk Assessment concluded no breach - Timeline from discovery to notification 23-11
12 Phase 2 of the OCR HIPAA Audit Program Second Stage will be conducted in June 2016 Chosen BAs could be audited on: - Security Risk Analysis/Assessment - Risk Management Plan - Breach Notification to CEs (include all above regarding Breach Notification) Phase 2 of the OCR HIPAA Audit Program Stage 3 will be conducted by the end of 2016 CEs and BAs will be chosen to participate in on-site audits via notification On-site audits will be comprehensive and will likely include a 3 5 day on-site visit by the OCR Will use newly released audit protocols Auditors prepare draft findings within 10 days/ce and BA can return comments Auditors prepare final report within 30 days 23-12
13 Updated Audit Protocols Lengthy but straightforward 89 Privacy Rule Audit Sections With many subsections 72 Security Rule Audit Sections With many subsections 19 Breach Rule Audit Sections American With Institute many of CPAs subsections \ Audit Timelines Audited Entities have 10 business days to respond via portal Documentation must be digital and current to date of request (little to no weight given to docs dated >date on request) Auditors cannot contact ask for clarification Items submitted after deadline may not be reviewed. Auditors prepare draft findings within 10 days CE can return comments 23-13
14 Audit Timelines Auditors prepare final report within 30 days Failure to respond may lead to referral for full compliance review. OCR will analyze & aggregate data to develop tools & guidance to assist with compliance self-evaluation & breach prevention List of audited entities or findings won t be posted, but they must comply with Freedom of Information Act requests Preparation Review 2106 guidance/faqa and all P&Ps regarding patient access in addition to your BA P&Ps regarding access Make sure AOD database is up-to-date and can extract data regarding patient & patient-directed requests (charges & fulfillment time) Review everything breach P&Ps, breach risk assessment/analysis, breach notifications to patients, and workforce sanctions policy 23-14
15 Preparation Make sure Security Risk Assessment and Risk Management plans are up-to date Risk analysis must not only identify the gaps, but also: o o o o o What the threats to that PHI are; How the PHI is vulnerable to impermissible use and disclosure; What those risk levels are; Is periodically updated; and Identify the location of all PHI; Include corrective actions for gaps identified Preparation Have a list of all BAs with contact info Audit BAs- start with questionnaires Prepare your workforce 23-15
16 Workforce Training/Resources Initial comprehensive, then annual training Systematic workflow Documentation Ongoing privacy & security tips Employee Newsletters Technology Applications OCR You Tube videos Competency Testing Retraining as required If you are contacted by the OCR Assemble your Response Team (or create one) Privacy and Security Officers Legal Risk Management Health Information Management Compliance Information Technology 3 American Institute of CPAs Copyright MRO \ Corporation
17 If you are contacted by the OCR Ask for any paperwork that the OCR might have Search warrants or inspection orders (if applicable) Copies of complaints List of what documents they are looking for Remember that everything submitted to the OCR pursuant to a investigation or audit is FOIA-able 3 American Institute of CPAs Copyright MRO \ Corporation 2016 Resources/Helpful Tools Administrative Safeguards HHS - Addressing Gaps in Cybersecurity: OCR Releases Crosswalk Between HIPAA Security Rule and NIST Cybersecurity Framework: HHS Guidance on Risk Analysis: ONC s Security Risk Assessment Tools: - Updated tools is due out any day now! HHS Security Rule Guidance Material:
18 Resources/Helpful Tools Minimum Necessary Rule HHS Guidance on the Minimum Necessary Requirement: Technical and Administrative Safeguards - HHS Guidance on Technical Safeguards: ve/securityrule/techsafeguards.pdf - HHS Guidance on Physical Safeguards: ve/securityrule/physsafeguards.pdf Thank You Copyright 2013 American Institute of CPAs. All rights reserved
Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules
Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules Marissa Gordon-Nguyen Office for Civil Rights (OCR) U.S. Department of Health and Human Services June
More informationHIPAA Audit Don t just bet the odds Good luck is a residue of preparation. Jack Youngblood
HIPAA Audit Don t just bet the odds Good luck is a residue of preparation. Jack Youngblood Braun Tacon Process Architect / Auditor Owner: www.majorincidenthandling.com Winning Lotto.1 in 175 Million Attacked
More informationHIPAA-HITECH: Privacy & Security Updates for 2015
South Atlantic Regional Annual Conference Orlando, FL February 6, 2015 1 HIPAA-HITECH: Privacy & Security Updates for 2015 Darrell W. Contreras, Esq., LHRM Gregory V. Kerr, CHPC, CHC Agenda 2 OCR On-Site
More informationHIPAA/HITECH Act Update HCCA South Central Regional Annual Conference December 2, Looking Back at 2011
HIPAA/HITECH Act Update HCCA South Central Regional Annual Conference December 2, 2012 Phyllis F. Granade The Granade Law Firm Atlanta, GA (678) 705 2507 pgranade@granadelaw.com www.granadelaw.com Looking
More informationUpdate on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016
Update on HIPAA Administration and Enforcement Marissa Gordon-Nguyen, JD, MPH October 7, 2016 Updates Policy Development Breaches Enforcement Audit 2 POLICY DEVELOPMENT RECENTLY PUBLISHED: RIGHT OF ACCESS,
More informationBreach Notification Remember State Law
Breach Notification HITECH: First federal law mandating breach notification for health care industry Applies to covered entities, business associates, PHR vendors, and PHR service providers FTC regulates
More informationInto the Breach: Breach Notification Requirements in the Wake of the HIPAA Omnibus Rule
Into the Breach: Breach Notification Requirements in the Wake of the HIPAA Omnibus Rule The Twenty-Second National HIPAA Summit Healthcare Privacy and Security After HITECH and Health Reform Rebecca Williams,
More informationLessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Pilot Audits
Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Pilot Audits Iliana L. Peters, J.D., LL.M. Senior Advisor for HIPAA Compliance and Enforcement OCR RULEMAKING UPDATE What s s Done?
More informationInside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.
Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D. HIPAA GENERAL RULE PHI may not be disclosed without patient authorization
More informationAgenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute
Health Law Institute Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More Brooke Bennett Aziere October 18, 2017 Agenda Enforcement Trends Phase 2 HIPAA Audits Upcoming Initiatives 1 Enforcement
More informationHIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017
HIPAA How to Comply with Limited Time & Resources Jonathan Pantenburg, MHA, Senior Consultant JPantenburg@Stroudwater.com August 17, 2017 Stroudwater Associates is a leading national healthcare consulting
More informationHIPAA Privacy, Security Lessons from 2016 and What's Next in 2017
HIPAA Privacy, Security Lessons from 2016 and What's Next in 2017 Session 9, February 20, 2017 Deven McGraw, Deputy Director, Health Information Privacy HHS Office for Civil Rights 1 Speaker Introduction
More informationHIPAA ( ) HIPAA 2017 Compliancy Group, LLC
855 85 HIPAA (855-854-4722) www.compliancygroup.com 1 Started in 2005 by HIPAA auditors & Compliance experts Market need for a total end client solution Created The Guard: cloud-based solution Compliance
More informationThe ABCs of HIPAA Security
The ABCs of HIPAA Security Daniel F. Shay, Esq 24 th Annual Health Law Institute Pennsylvania Bar Institute March 13, 2018 c. 2018 Alice G. Gosfield and Associates PC 1 Daniel F. Shay, Esq. Alice G. Gosfield
More informationDATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE
DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE Melodi (Mel) M. Gates mgates@pattonboggs.com (303) 894-6111 October 25, 2013 THE CHANGING PRIVACY CLIMATE z HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY
More informationHIPAA & Privacy Compliance Update
HIPAA & Privacy Compliance Update Vermont Medical Society FREE Wednesday Webinar Series March 15, 2017 Anne Cramer and Shireen Hart Primmer Piper Eggleston & Cramer PC acramer@primmer.com shart@primmer.com
More informationHIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017
HIPAA in 2017: Hot Topics You Can t Ignore Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017 Breach Notification State Law Privacy Rule Authorizations Polices and Procedures The Truth Is Have created
More informationDavid C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017
David C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017 Privacy and security of patient information held by health care providers remains a concern of the federal government. More resources
More informationPutting It All Together:
Putting It All Together: The Interplay of Privacy & Security Regina Verde, MS, MBA, CHC Chief Corporate Compliance & Privacy Officer University of Virginia Health System 2017 ISPRO Conference October 24,
More informationThe Relationship Between HIPAA Compliance and Business Associates
The Relationship Between HIPAA Compliance and Business Associates 1 HHS Wall of Shame 20% Involved Business Associates Based on HHS Breach Portal: Breaches Affecting 500 or More Individuals, Type of Breach
More informationHIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp
HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp Agenda Introductions HIPAA Background and History Overview of HIPAA Requirements
More informationHIPAA Privacy, Security and Breach Notification
HIPAA Privacy, Security and Breach Notification HCCA East Central Regional Annual Conference October 2013 Disclaimer The information contained in this document is provided by KPMG LLP for general guidance
More informationWhat s New with HIPAA? Policy and Enforcement Update
What s New with HIPAA? Policy and Enforcement Update HHS Office for Civil Rights New Initiatives Precision Medicine Initiative (PMI), including Access Guidance Cybersecurity Developer portal NICS Final
More informationHospital Council of Western Pennsylvania. June 21, 2012
Updates on OCR s HIPAA Enforcement and Regulations Hospital Council of Western Pennsylvania June 21, 2012 Topics HIPAA Privacy and Security Rule Enforcement HITECH Breach Notification OCR Audit Program
More informationThe HIPAA Omnibus Rule
The HIPAA Omnibus Rule What You Should Know and Do as Enforcement Begins Rebecca Fayed, Associate General Counsel and Privacy Officer Eric Banks, Information Security Officer 3 Biographies Rebecca C. Fayed
More informationUpdate on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules
Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules Wandah Hardy, RN BSN, MPA Equal Opportunity Specialist/Investigator Office for Civil Rights (OCR)
More informationUniversity of Wisconsin-Madison Policy and Procedure
Page 1 of 10 I. Policy The Health Information Technology for Economic and Clinical Health Act regulations ( HITECH ) amended the Health Information Portability and Accountability Act ( HIPAA ) to establish
More informationSecurity and Privacy Breach Notification
Security and Privacy Breach Notification Version Approval Date Owner 1.1 May 17, 2017 Privacy Officer 1. Purpose To ensure that the HealthShare Exchange of Southeastern Pennsylvania, Inc. (HSX) maintains
More informationHIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED
HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED HEALTHCARE ORGANIZATIONS ARE UNDER INTENSE SCRUTINY BY THE US FEDERAL GOVERNMENT TO ENSURE PATIENT DATA IS PROTECTED Within
More informationMANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors
Page 1 of 6 Applies to: faculty staff students student employees visitors contractors Effective Date of This Revision: June 1, 2018 Contact for More Information: HIPAA Privacy Officer Board Policy Administrative
More informationThe HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance
The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance Russell L. Jones Partner Health Sciences Sector Deloitte & Touche LLP Security & Privacy IMLA 2013 Annual Conference San
More informationA HIPAA Compliance and Enforcement Update from the HHS Office for Civil Rights Session #24, 10:00 a.m. 11:00 a.m. March 6, 2018 Roger Severino, MSPP,
A HIPAA Compliance and Enforcement Update from the HHS Office for Civil Rights Session #24, 10:00 a.m. 11:00 a.m. March 6, 2018 Roger Severino, MSPP, JD Director, HHS Office for Civil Rights Nicholas Heesters,
More informationAll Aboard the HIPAA Omnibus An Auditor s Perspective
All Aboard the HIPAA Omnibus An Auditor s Perspective Rick Dakin CEO & Chief Security Strategist February 20, 2013 1 Agenda Healthcare Security Regulations A Look Back What is the final Omnibus Rule? Changes
More informationEnforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance
Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance Iliana Peters, JD, LLM, HHS Office for Civil Rights Kevin
More informationSecurity and Privacy Governance Program Guidelines
Security and Privacy Governance Program Guidelines Effective Security and Privacy Programs start with attention to Governance. Governance refers to the roles and responsibilities that are established by
More informationPrivacy Breach Policy
1. PURPOSE 1.1 The purpose of this policy is to guide NB-IRDT employees and approved users on how to proceed in the event of a privacy breach, and to demonstrate to stakeholders that a systematic procedure
More informationSecurity Lessons Learned from HIPAA Enforcement
Security Lessons Learned from HIPAA Enforcement Presentation to HealthSec 12 August 7, 2012 Adam H. Greene, J.D., M.P.H. Partner, Davis Wright Tremaine Enforcement of the Security Rule HIPAA Security Rule
More information3/24/2014. Agenda & Objectives. HIPAA Security Rule. Compliance Institute. Background and Regulatory Overlay. OCR Statistics/
Compliance Institute Session 501: Implementing a System-Wide Access Monitoring Program Brian D. Annulis Meade, Roach & Annulis, LLP Aegis Compliance & Ethics Center, LLP 4147 N. Ravenswood Avenue Suite
More informationClearwater HIPAA Security Assessment Software. Demonstration
Clearwater HIPAA Security Assessment Software Demonstration Bob Chaput 615-656-4299 or 800-704-3394 bob.chaput@clearwatercompliance.com Clearwater Compliance LLC 1 About HIPAA-HITECH Compliance 1. We are
More informationHIPAA Security and Privacy Policies & Procedures
Component of HIPAA Security Policy and Procedures Templates (Updated for HITECH) Total Cost: $495 Our HIPAA Security policy and procedures template suite have 71 policies and will save you at least 400
More information01.0 Policy Responsibilities and Oversight
Number 1.0 Policy Owner Information Security and Technology Policy Policy Responsibility & Oversight Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 1. Policy Responsibilities
More informationHIPAA Privacy & Security Training. Privacy and Security of Protected Health Information
HIPAA Privacy & Security Training Privacy and Security of Protected Health Information Course Competencies: This training module addresses the essential elements of maintaining the HIPAA Privacy and Security
More informationWHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty
WHITE PAPER HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty WHITE PAPER HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty By Jill Brooks, MD, CHCO and Katelyn Byrne, BSN, RN Data Breaches
More informationGetting OCR Audit-Ready in 7 Steps:
Getting OCR Audit-Ready in 7 Steps: Kimberly B. Holmes, Esq. Senior Vice President & Counsel Cyber Insurance, Liability & Emerging Risks March 28, 2017 Remember first of all Pursuant to the HIPAA Security
More informationBoerner Consulting, LLC Reinhart Boerner Van Deuren s.c.
Catherine M. Boerner, Boerner Consulting LLC Heather Fields, 1 Discuss any aggregate results of the desk audits Explore the Sample(s) Requested and Inquire of Management requests for the full on-site audits
More informationHIPAA Security & Privacy
HIPAA Security & Privacy New Omnibus Regulations Prepared by Keith Weiner for New York State HIMSS Omnibus Rule Released on January 25, 2013, the final 563 page Omnibus Rule is the largest sweeping change
More informationTechnology Workshop HIPAA Security Risk Assessment: What s Next? January 9, 2014
Technology Workshop HIPAA Security Risk Assessment: What s Next? January 9, 2014 Welcome! Thank you for joining us today. In today s call we ll cover the Security Assessment and next steps. If you want
More informationA Panel Discussion. Nancy Davis
A Panel Discussion 1 Nancy Davis Director of Compliance & Safety, Door County Medical Center Cathy Hansen Director, Health Information Services & Privacy Officer, St. Croix Regional Medical Center Rhonda
More informationHIPAA Tips and Advice for Your. Medical Practice
HIPAA Tips and Advice for Your Ericka L. Adler Medical Practice Rachel V. Rose WHY Header HIPAA PATIENT and Medical PORTALS? Practices HIPAA Basics Who is a covered entity? What is PHI? When can you disclose
More informationHIPAA Security. An Ounce of Prevention is Worth a Pound of Cure
HIPAA Security An Ounce of Prevention is Worth a Pound of Cure Presented by CJ Wolf, MD, COC, CPC, CHC, CCEP, CIA Healthicity Senior Compliance Executive Paul R. Hales, Attorney at Law Subject Matter Expert
More informationDecrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use
Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute October 1, 2014 10/1/2014 1 1 Who is
More informationPolicy. Policy Information. Purpose. Scope. Background
Background Congress enacted HIPAA Privacy & Security Compliance Policy Policy Information Policy Owner: (TBD Possibly HIPAA Privacy and Security Official or Executive Director of University Ethics and
More informationHow to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016
How to Respond to a HIPAA Breach Tuesday, Oct. 25, 2016 This Webinar is Brought to You By. About HealthInsight and Mountain-Pacific Quality Health HealthInsight and Mountain-Pacific Quality Health are
More informationHIPAA COMPLIANCE CALIFORNIA STATE UNIVERSITY, LOS ANGELES. Audit Report October 29, 2010
HIPAA COMPLIANCE CALIFORNIA STATE UNIVERSITY, LOS ANGELES Audit Report 10-52 October 29, 2010 Members, Committee on Audit Henry Mendoza, Chair Raymond W. Holdsworth, Vice Chair Nicole M. Anderson Margaret
More informationInformation Governance, the Next Evolution of Privacy and Security
Information Governance, the Next Evolution of Privacy and Security Katherine Downing, MA, RHIA, CHPS, PMP Sr. Director AHIMA IG Advisors Follow me @HIPAAQueen 2017 2017 Objectives Part Part I IG Topic
More informationHow Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.
How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq. Word Count: 2,268 Physician practices have lived with the reality of HIPAA for over twenty years. In that time, it has likely
More informationHITRUST Common Security Framework - Are you prepared?
ALLINIAL HITRUST Common Security Framework - Are you prepared? Michael Kanarellis, HITRUST CCSFP May 17, 2017 MEMBER OF PKF ALLINIAL NORTH GLOBAL, AMERICA, AN ASSOCIATION AN OF LEGALLY OF LEGALLY INDEPENDENT
More informationCritical HIPAA Privacy & Security Crossover Areas
Critical HIPAA Privacy & Security Crossover Areas Presented by HIPAA Solutions, LC Peter MacKoul, JD Senior Privacy SME Ken Hughes Senior Security SME HIPAA Solutions, LC 2016 1 Critical HIPAA Privacy
More informationStandards and Procedures Alaska Medicaid
Standards and Procedures Written Policies Start with the Rule How will you comply Procedures Reflect what you are doing Include appropriate operational departments Will need to revise regularly annually
More informationStandards and Procedures Alaska Medicaid 2/24/2017. Written Policies. Procedures
Standards and Procedures Written Policies Start with the Rule How will you comply Procedures Reflect what you are doing Include appropriate operational departments Will need to revise regularly annually
More informationHIPAA Compliance Officer Training By HITECH Compliance Associates. Building a Culture of Compliance
HIPAA Compliance Officer Training By HITECH Compliance Associates Building a Culture of Compliance Your Instructor Is Michael McCoy Nationally Recognized HIPAA Expert » Nothing contained herein should
More informationAuditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC
Auditing and Monitoring for HIPAA Compliance HCCA COMPLIANCE INSTITUTE 2003 April, 2003 Presented by: Suzie Draper Sheryl Vacca, CHC 1 The Elements of Corporate Compliance Program There are seven key elements
More informationCore Elements of HIPAA The Privacy Rule establishes individuals privacy rights and addresses the use and disclosure of protected health information ( PHI ) by covered entities and business associates The
More informationHIPAA FOR BROKERS. revised 10/17
HIPAA FOR BROKERS revised 10/17 COURSE PURPOSE The purpose of this information is to help ensure that all Optima Health Brokers are prepared to protect the privacy and security of our members health information.
More informationI HAVE ALL THESE RECORDS. NOW WHAT? Serving Durham, Wake, Cumberland and Johnston Counties
I HAVE ALL THESE RECORDS. NOW WHAT? Serving Durham, Wake, Cumberland and Johnston Counties Agenda Public Records Law When Provider Agencies Merge or Go Out of Business Record Retention Record Destruction
More informationNeil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016
Breach New Heights The role of ITAM in preventing a data breach Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016 Agenda Why Breaches Matter to the ITAM group The cost
More informationDecrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use
Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute June 21, 2016 6/21/2016 1 1 Disclaimer
More informationHIPAA Enforcement Update: Learning From Mistakes of Others to Improve Your Compliance
2017 Annual Conference HIPAA Enforcement Update: Learning From Mistakes of Others to Improve Your Compliance Renee H. Martin, JD, RN, MSN Dilworth Paxson, LLP 1500 Market Street, Suite 3500 Philadelphia,
More informationIncident Response: Are You Ready?
Incident Response: Are You Ready? Chris Apgar, CISSP Apgar & Associates, LLC 2014 Security Incident vs. Breach Overview Security Incident Planning and Your Team Final Breach Notification Rule a refresher
More information(c) Apgar & Associates, LLC
Incident Response: Are You Ready? Chris Apgar, CISSP Apgar & Associates, LLC 2014 Security Incident vs. Breach Overview Security Incident Planning and Your Team Final Breach Notification Rule a refresher
More informationSteffanie Hall, RHIA HIM Director/Privacy Officer 1201 West 12 th Emporia, Kansas ext
JOINT NOTICE OF PRIVACY PRACTICES NEWMAN REGIONAL HEALTH, NEWMAN REGIONAL HEALTH MEDICAL PARTNERS, HOSPICE, NEWMAN PHYSICAL THERAPY, COMMUNITY WELLNESS AND MEMBERS OF THE NEWMAN REGIONAL HEALTH ORGANIZED
More informationFederal Breach Notification Decision Tree and Tools
Federal Breach Notification and Tools Disclaimer This document is copyright 2009 by the Long Term Care Consortium (LTCC). These materials may be reproduced and used only by long-term health care providers
More informationHIPAA Cloud Computing Guidance
HIPAA Cloud Computing Guidance Adam Greene, JD, MPH Partner Rebecca Williams, BSN, JD Partner Nature is a mutable cloud which is always and never the same Ralph Waldo Emerson 2 Agenda A few historical
More informationHIPAA 101: What All Doctors NEED To Know
HIPAA 101: What All Doctors NEED To Know 1 HIPAA Basics HIPAA: Health Insurance and Portability Accountability Act of 1996 Purpose: to protect confidential information through improved security and privacy
More informationDON T GET STUNG BY A BREACH! WHAT'S NEW IN HIPAA PRIVACY AND SECURITY
DON T GET STUNG BY A BREACH! WHAT'S NEW IN HIPAA PRIVACY AND SECURITY Practice Areas: Healthcare Labor and Employment JASON YUNGTUM jyungtum@clinewilliams.com (402) 397 1700 Practice Areas: Healthcare
More informationNE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS
NE HIMSS Vendor Risk October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2014 Wolf & Company, P.C. Does Vendor Management Feel Like This? 2 Vendor Risk Management Lifecycle
More informationHIPAA COMPLIANCE AND DATA PROTECTION Page 1
HIPAA COMPLIANCE AND DATA PROTECTION info@resultstechnology.com 877.435.8877 Page 1 CONTENTS Introduction..... 3 The HIPAA Security Rule... 4 The HIPAA Omnibus Rule... 6 HIPAA Compliance and RESULTS Cloud
More informationSecurity Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer
Security Rule for IT Staffs J. T. Ash University of Hawaii System HIPAA Compliance Officer jtash@hawaii.edu hipaa@hawaii.edu Disclaimer HIPAA is a TEAM SPORT and everyone has a role in protecting protected
More informationSecurity and Privacy-Aware Cyber-Physical Systems: Legal Considerations. Christopher S. Yoo University of Pennsylvania July 12, 2018
Security and Privacy-Aware Cyber-Physical Systems: Legal Considerations Christopher S. Yoo University of Pennsylvania July 12, 2018 Overview of Research Tort and products liability for CPS Privacy and
More informationCERT Symposium: Cyber Security Incident Management for Health Information Exchanges
Pennsylvania ehealth Partnership Authority Pennsylvania s Journey for Health Information Exchange CERT Symposium: Cyber Security Incident Management for Health Information Exchanges June 26, 2013 Pittsburgh,
More informationIf a HIPAA Breach Happens, Are You Ready?
If a HIPAA Breach Happens, Are You Ready? Greg Vetter Director, Healthcare Consulting McGladrey Caron Cullen Sr. VP & Chief Compliance Officer Affinity Health Plan Topics If a breach happens, are you ready?
More informationHIPAA Comes of Age: 21 Years of Privacy and Security
Cyber Hot Topics Webinar Series: HIPAA Comes of Age: 21 Years of Privacy and Security August 17, 2017 11:30AM 12:30PM CST Presented by: Andrew Elbon, Judd A. Harwood, Amy S. Leopard, and Jordan A. Stivers
More informationAdvanced HIPAA /19/2016. Today s Agenda. What is the HIPAA Privacy Rule? Abbie Miller, MCS-P
Advanced HIPAA 2016 Abbie Miller, MCS-P Today s Agenda A HIPAA eye toward social media and texting Please get your Business Associate agreements in order! Some definitions pertaining to HIPAA Privacy Dispose
More informationHIPAA Audits and the New Audit Protocol
Presenting a live 90-minute webinar with interactive Q&A HIPAA Audits and the New Audit Protocol Developing and Ensuring HIPAA and HITECH Privacy and Security Compliance TUESDAY, FEBRUARY 5, 2013 1pm Eastern
More informationTechnology General Controls and HIPAA Security Compliance: Covering the Bandwidth in One Audit
Technology General Controls and HIPAA Security Compliance: Covering the Bandwidth in One Audit Michael Morrow, Jennifer McGillCompany Carolinas Healthcare System 2011 AHIA Annual Conference Track D1 Wednesday,
More informationPatient Access & Charging for Medical Records. General Right to Access. Requests for Access. Charging for Copies
Patient Access & Charging for Medical Records Copyright 2017 State Volunteer Mutual Insurance Company Today s Agenda 1 2 3 4 5 6 General Right to Access Requests for Access Providing Access Charging for
More informationHCISPP HealthCare Information Security and Privacy Practitioner
HCISPP HealthCare Information Security and Privacy Practitioner William Buddy Gillespie, HCISPP Global Academic Instructor (ISC)² Former Healthcare CIO Chair Advocacy Committee, CPAHIMSS budgill@aol.com
More informationWhen the Other Brother Steps Up: State Privacy Enforcement Actions
When the Other Brother Steps Up: State Privacy Enforcement Actions Healthcare Enforcement Compliance Conference November 6, 2018 Washington, DC Blaine Kerr, CISA, CHPC Chief Privacy Officer Jackson Health
More informationHIPAA For Assisted Living WALA iii
Table of Contents The Wisconsin Assisted Living Association... ix Mission... ix Vision... ix Values... ix Acknowledgments... ix Who Should Use This Manual... x How to Use This Manual... x Updates and Forms...
More informationUpdate from HIMSS National Privacy & Security. Lisa Gallagher, VP Technology Solutions November 14, 2013
Update from HIMSS National Privacy & Security Lisa Gallagher, VP Technology Solutions November 14, 2013 Agenda Update on HIMSS new Technology Solutions Department HIPAA Omnibus Rules Meaningful Use 2 P&S
More informationCYBERSECURITY. Recent OCR Actions & Cyber Awareness Newsletters. Claire C. Rosston
CYBERSECURITY Recent OCR Actions & Cyber Awareness Newsletters Claire C. Rosston DISCLAIMER This presentation is similar to any other legal education materials designed to provide general information on
More informationCybersecurity in Higher Ed
Cybersecurity in Higher Ed 1 Overview Universities are a treasure trove of information. With cyber threats constantly changing, there is a need to be vigilant in protecting information related to students,
More informationCredit Card Data Compromise: Incident Response Plan
Credit Card Data Compromise: Incident Response Plan Purpose It is the objective of the university to maintain secure financial transactions. In order to comply with state law and contractual obligations,
More informationPolicy and Procedure: SDM Guidance for HIPAA Business Associates
Policy and Procedure: SDM Guidance for HIPAA Business (Adapted from UPMC s Guidance for Business at http://www.upmc.com/aboutupmc/supplychainmanagement/documents/guidanceforbusinessassociates.pdf) Effective:
More informationPrivacy & Information Security Protocol: Breach Notification & Mitigation
The VUMC Privacy Office coordinates compliance with the required notification steps and prepares the necessary notification and reporting documents. The business unit from which the breach occurred covers
More informationHIPAA Security Awareness Training
HIPAA Security Awareness Training Spring 2015 DBHDS Vision: A life of possibilities for all Virginians What is HIPAA? HIPAA means: Health Insurance Portability and Accountability Act It is a set of regulations
More informationHIPAA Privacy, Security and Breach Notification 2017
HIPAA Privacy, Security and Breach Notification 2017 An Eagle Associates Presentation Eagle Associates, Inc. www.eagleassociates.net info@eagleassociates.net P.O. Box 1356 Ann Arbor, MI 48106 800-777-2337
More informationDAVID J BEHINFAR, JD., LLM., CHC, CHRC, CCEP, HCISPP, CIPP/US P23: AN EFFECTIVE PRIVACY PROGRAM BUILT THROUGH STRATEGIC VISION AND LEADERSHIP SUPPORT
P23: AN EFFECTIVE PRIVACY PROGRAM BUILT THROUGH STRATEGIC VISION AND LEADERSHIP SUPPORT APRIL 7, 2019 David Behinfar, Chief Privacy Officer University of North Carolina Health Katherine Georger, Associate
More informationENCRYPTION: ADDRESSABLE OR A DE FACTO REQUIREMENT?
ENCRYPTION: ADDRESSABLE OR A DE FACTO REQUIREMENT? Jonathan Carroll, MBA, CISSP AVP Enterprise IT Operations Information Security Officer University of Connecticut Why Are We Talking About This? Data breaches
More information10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment
Preparing Your Organization for a HHS OIG Information Security Audit David Holtzman, JD, CIPP/G CynergisTek, Inc. Brian C. Johnson, CPA, CISA HHS OIG Section 1: Models for Risk Assessment Section 2: Preparing
More information