DAVID J BEHINFAR, JD., LLM., CHC, CHRC, CCEP, HCISPP, CIPP/US P23: AN EFFECTIVE PRIVACY PROGRAM BUILT THROUGH STRATEGIC VISION AND LEADERSHIP SUPPORT

Size: px

Start display at page:

Download "DAVID J BEHINFAR, JD., LLM., CHC, CHRC, CCEP, HCISPP, CIPP/US P23: AN EFFECTIVE PRIVACY PROGRAM BUILT THROUGH STRATEGIC VISION AND LEADERSHIP SUPPORT"

Melvin Simmons
5 years ago
Views:

P23: AN EFFECTIVE PRIVACY PROGRAM BUILT THROUGH STRATEGIC VISION AND LEADERSHIP SUPPORT APRIL 7,

Georger, Associate Compliance Officer & Director of Privacy Duke University Health System Adam

Privacy Officer Encompass Health 1 DAVID J BEHINFAR, JD., LLM.

1 P23: AN EFFECTIVE PRIVACY PROGRAM BUILT THROUGH STRATEGIC VISION AND LEADERSHIP SUPPORT APRIL 7, 2019 David Behinfar, Chief Privacy Officer University of North Carolina Health Katherine Georger, Associate Compliance Officer & Director of Privacy Duke University Health System Adam Greene, Partner Davis Wright Tremaine LLP Christopher Terrell, Deputy Chief Compliance Officer & Privacy Officer Encompass Health 1 DAVID J BEHINFAR, JD., LLM., CHC, CHRC, CCEP, HCISPP, CIPP/US David Behinfar, JD, LLM, CHC, CHRC, CCEP, HCISPP, CIPP/US Chief Privacy Officer UNC Health Care System 2 1

KATHERINE GEORGER, JD, CHC, CHRC, CIPP/US Katherine Georger, JD, CHC, CHRC, CIPP/US Associate Compliance Officer & Director of Privacy Duke University Health System Duke University Health System is a

through clinical and biomedical research.

Regional Hospital and Duke Raleigh Hospital physician practices, home hospice care and various support services at locations across North Carolina.

2 KATHERINE GEORGER, JD, CHC, CHRC, CIPP/US Katherine Georger, JD, CHC, CHRC, CIPP/US Associate Compliance Officer & Director of Privacy Duke University Health System Duke University Health System is a world class private, not for profit health care network dedicated to providing outstanding patient care, educating tomorrow's health care leaders, and discovering new and better ways to treat disease through clinical and biomedical research. Founded in 1998 to provide efficient, responsive care, the health system offers a full network of health services and encompasses three highly regarded hospitals Duke University Hospital, Durham Regional Hospital and Duke Raleigh Hospital physician practices, home hospice care and various support services at locations across North Carolina. Advancing Health Together 3 CHRISTOPHER TERRELL, JD, CHC, CHPC Christopher T. Terrell, JD, CHC, CHPC Deputy Chief Compliance Officer & Privacy Officer Encompass Health Corporation Christopher T. Terrell, J.D., CHC, CHCP, is the Deputy Chief Compliance Officer & Privacy Officer for Encompass Health Corporation. In this capacity, Mr. Terrell assists the Chief Compliance Officer in the day to day operations of the Ethics & Compliance Department. He also provides guidance and advice on a range of healthcare regulatory compliance issues such as the Stark Law, the Anti kickback Statute, and the False Claims Act. Mr. Terrell also oversees, and conducts, compliance investigations. As privacy officer, Mr. Terrell provides advice and guidance on regulatory issues pertaining to HIPAA compliance and conducts investigations to determine whether HIPAA breaches have occurred. Prior to his current role, Mr. Terrell served five and one half years in the HealthSouth Legal Services Department. Prior to joining HealthSouth, Mr. Terrell was a partner at the law firm of Balch & Bingham, based in 4 Birmingham, Alabama. 2

ADAM GREENE, JD, MPH Adam is a nationally recognized authority on HIPAA and the HITECH Act, primarily counsels health care systems and technology

Adam Greene, Partner Davis, Wright, Tremaine, LLP A former regulator at the U.S.

At HHS, Adam was responsible for determining how HIPAA rules apply to new and emerging health information technologies and he was instrumental in the

3 ADAM GREENE, JD, MPH Adam is a nationally recognized authority on HIPAA and the HITECH Act, primarily counsels health care systems and technology companies on compliance with the HIPAA privacy, security, and breach notification requirements. Adam Greene, Partner Davis, Wright, Tremaine, LLP A former regulator at the U.S. Department of Health and Human Services (HHS), Adam played a key role in administering and enforcing the HIPAA rules. At HHS, Adam was responsible for determining how HIPAA rules apply to new and emerging health information technologies and he was instrumental in the development of the current enforcement process. 5 RELATIONSHIPS Assess Institutional Support for Privacy Office Activities Leadership Support Funding IDENTIFY STRATEGIC PARTNERS Information Security/IT Legal Compliance Risk Management Procurement/Contracts Internal Audit Physicians Medical/Administrative Departments Outside Counsel 6 3

Sanctions/Discipline/Corrective Actions 7

Analysis Present the here s the things we

4 CRITICAL PRIVACY PROGRAM ELEMENTS Professionals/ Staff Seven Elements of an Effective Privacy Compliance Program: Policies Training Auditing/Monitoring Incident Reporting/Non Retaliation Investigations (Whistleblower protections) Sanctions/Discipline/Corrective Actions 7 UNDERSTANDING RESOURCES Perform a GAP Analysis Present the here s the things we are supposed to be doing, but we are not or we are doing them but not well requests Leverage examples of settlements and financial penalties to reinforce your point. 8 4

Building metrics helps keeps you on track and better ties your program to overarching organizational objectives.

5 METRICS Evaluating your program and building metrics What are you actually doing on a day to day basis? And how are you improving the institutional program? Building metrics helps keeps you on track and better ties your program to overarching organizational objectives. 9 INVESTIGATION METRICS 200 Total # of Reported Privacy Investigations 61% 62% 58% 50% QTR 1 QTR 2 QTR 3 QTR 4 Focused Audits (Alleged Inappropriate Access) Disclosure Investigations Substantiated Rate 10 5

6 AUDITING METRICS Routine audits validating your organization s compliance with Privacy Rule provisions: Metrics on: EHR access audits NPP offered at first visit and Acknowledgement signed BAAs in place using current form Audit type Entity level Disciplinary action for audits indicating violations Corrective actions and report results ACCESS AUDIT METRICS 12 6

7 TRAINING METRICS Do you have a Training Plan that will permit more than simple metrics? In person training: Executive, NEO, Annual (all staff), specialized Electronic training: NEO, Annual (all staff), specialized Training offered at staff or leadership meetings In service education (lunch and learn) Homegrown and outsourced training Newsletters White papers, infographics Training offered after incidents occur Do you have a library of training resources CONSULT AND GUIDANCE METRICS 7

PROGRAM METRICS (KPIS) AT A GLANCE Key Privacy Office Performance Indicators BECOMING A LEADER & SELLING THE PROGRAM TO LEADERSHIP Transform your privacy program gap analysis into action Assess

8 PROGRAM METRICS (KPIS) AT A GLANCE Key Privacy Office Performance Indicators BECOMING A LEADER & SELLING THE PROGRAM TO LEADERSHIP Transform your privacy program gap analysis into action Assess Institutional Support for Privacy Appreciate and Understand Your Organizational Culture/Risk Appetite Recognize Institutional Politics Attention and Direction Should Be Dictated By: Your Vision The Results of Your Institutional Resources & Support Your Evaluation of Risk and Organizational Risk Appetite 16 8

9 LOOKING AT OUR CRYSTAL BALL 17 HIPAA ENFORCEMENT TRENDS 18 9

ENFORCEMENT HIGHLIGHTS (As of Feb 2019) 64 OCR financial enforcement actions 60 financial settlements 4 civil monetary penalties (CMPs) Average amount: $1.6 million Average financial settlement: ~$1.

10 ENFORCEMENT HIGHLIGHTS (As of Feb 2019) 64 OCR financial enforcement actions 60 financial settlements 4 civil monetary penalties (CMPs) Average amount: $1.6 million Average financial settlement: ~$1.5 million Average CMP: ~$3 million 19 ENFORCEMENT HIGHLIGHTS OCR HIPAA Settlements/CMPs Per Year

ENFORCEMENT HIGHLIGHTS OCR HIPAA Settlements/CMPs: Average Amount Per Year $3,000,000 $2,607,582 $2,500,000 $2,250,000 $2,000,000 $2,055,167 $1,808,100 $1,941,418 $1,500,000

11 ENFORCEMENT HIGHLIGHTS OCR HIPAA Settlements/CMPs: Average Amount Per Year $3,000,000 $2,607,582 $2,500,000 $2,250,000 $2,000,000 $2,055,167 $1,808,100 $1,941,418 $1,500,000 $1,000,000 $970,000 $748,156 $1,134,317 $1,032,233 $500,000 $517,500 $100,000 $ PHASE II AUDIT PROGRAM: REPORT CARD 22 11

12 PHASE II AUDIT PROGRAM: COVERED ENTITIES Rating Element # Provision N/A P55 Notice P58 enotice P65 Access BNR 12 Timeliness BNR13 Content S2 Risk Analysis S3 Risk Management OCR Presentation at 2018 HIPAA Summit 23 PHASE II AUDIT PROGRAM: BUSINESS ASSOCIATES Rating Element # Provision N/A BNR17 Notice to CEs S2 Risk Analysis S3 Risk Management OCR Presentation at 2018 HIPAA Summit 24 12

13 OPEN DISCUSSION/QUESTIONS 25 13

Agenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute

Agenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute Health Law Institute Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More Brooke Bennett Aziere October 18, 2017 Agenda Enforcement Trends Phase 2 HIPAA Audits Upcoming Initiatives 1 Enforcement