MHBE Compliance Program SECOND QUARTER FY 2019 REPORT. TO MHBE BOARD OF TRUSTEES January 22, 2019

Similar documents
Consumer Protection & System Security Update. Bill Jenkins and Cammie Blais

Integrating HIPAA into Your Managed Care Compliance Program

Producer Enrollment Assistance and Escalated Cases Guide

Healthcare Privacy and Security:

San Francisco Housing Authority (SFHA) Leased Housing Programs October 2015

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

Secrets to Success! Accountability in Global Organizations. Marisa Rogers & Jenifer Garone, Microsoft Ruby Zefo, Intel

Getting Past the PM P Certification Qualifying Round

E-rate Program Integrity Assurance (PIA) Review Guide

List of National Archives and Records Administration (NARA) Inspector General (OIG) investigations closed October September 2016

EXHIBIT A. - HIPAA Security Assessment Template -

IT Updates. Maryland Health Benefit Exchange Board Meeting April 15, Presented by: Isabel FitzGerald Secretary, DoIT

Judiciary Judicial Information Systems

October Broward County Government Human Services Department. Community Partnerships Division FY2015 Provider Information

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

DFARS Cyber Rule Considerations For Contractors In 2018

Mastering Data Privacy, Social Media, & Cyber Law

Council, 8 February 2017 Information Technology Report Executive summary and recommendations

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Minimizing the PCI Footprint: Reduce Risk and Simplify Compliance

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Council, 26 March Information Technology Report. Executive summary and recommendations. Introduction

Bring Your Own Device Policy

GDPR: Is it just another regulation or a great opportunity for operational excellence? Athens, February 2018

ISO 50001/SEP. Superior Energy Performance at Schneider Electric. Design the Strategy Deliver Efficiency Sustain Results

All King County Summary Report

This report is based on sampled data. Jun 1 Jul 6 Aug 10 Sep 14 Oct 19 Nov 23 Dec 28 Feb 1 Mar 8 Apr 12 May 17 Ju

Asks for clarification of whether a GOP must communicate to a TOP that a generator is in manual mode (no AVR) during start up or shut down.

The Relationship Between HIPAA Compliance and Business Associates

DoD Environmental Security Technology Certification Program (ESTCP) Tim Tetreault DoD August 15, 2017

State of Florida Enterprise

June 2012 First Data PCI RAPID COMPLY SM Solution

Red Flags/Identity Theft Prevention Policy: Purpose

Breaches and Remediation

ISE Cyber Security UCITS Index (HUR)


Executive Steering Committee (ESC) Update Minnesota Eligibility Technology System (METS)

NY DFS Cybersecurity Regulations August 8, 2017

Freedom of Information Act 2000 reference number RFI

Maryland Health Care Commission

Seattle (NWMLS Areas: 140, 380, 385, 390, 700, 701, 705, 710) Summary

ADIENT VENDOR SECURITY STANDARD

Seattle (NWMLS Areas: 140, 380, 385, 390, 700, 701, 705, 710) Summary

Seattle (NWMLS Areas: 140, 380, 385, 390, 700, 701, 705, 710) Summary

Putting It All Together:

HIPAA Case Study. Long Term Care (LTC) Industry. October 26, Presented by: James Pfeiffer Brian Zoeller

Information Security Incident Response Plan

SkilMatch documentation for adding, changing and deleting Affordable Care Act (ACA) Tracking Codes (TCs) for employees (EEs). Command "ACADATUPD".

Welcome To The. Broward County Human Services Department. Community Partnerships Division FY2016 Provider Information Workshop

HIPAA & Privacy Compliance Update

10th Maintenance Cost Conference Chairman s Report Athens Sept 10& Tiymor Kalimat Manager Technical Procurement Royal Jordanian Airlines

COURSE LISTING. Courses Listed. with Governance, Risk and Compliance (GRC) SAP BusinessObjects. 19 February 2018 (15:13 GMT) GRC100 -

HIGH RISK REPORT J.CREW GROUP, INC. September 14, 2017

Billing and Collection Agent Report For period ending January 31, To FCC Contract Oversight Sub-Committee. February 11, 2019

HIPAA Security and Privacy Policies & Procedures

The HIPAA Omnibus Rule

Privacy and Proxy Service Provider Accreditation. ICANN58 Working Meeting 11 March 2017

e-sens Nordic & Baltic Area Meeting Stockholm April 23rd 2013

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Privacy Breach Policy

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

HIPAA For Assisted Living WALA iii

LEADING WITH GRC. Common Controls Framework. Sundar Venkat, Sr. Director Technology Compliance Salesforce

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

University Policies and Procedures ELECTRONIC MAIL POLICY

Transaction Verification Summary FY14 Results Monthly Spread

Breach Notification Remember State Law

ROADMAP TO DFARS COMPLIANCE

Altius IT Policy Collection Compliance and Standards Matrix

01.0 Policy Responsibilities and Oversight

Security Audit What Why

Tinker & The Primes 2017 Innovating Together

The New England Approach to HIPAA. John D. Halamka MD Chairman, New England Health EDI Network CIO, CareGroup Healthcare System

SAC PA Security Frameworks - FISMA and NIST

Information Security Incident Response Plan

10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

Quarterly Sales (in millions) FY 16 FY 15 FY 14 Q1 $706.8 $731.1 $678.5 Q Q Q

Ex Libris Ltd Alma Privacy Impact Assessment

Policies & Regulations

Sophos Central for partners and customers: overview and new features. Jonathan Shaw Senior Product Manager, Sophos Central

SME License Order Working Group Update - Webinar #3 Call in number:

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

software.sci.utah.edu (Select Visitors)

Data Compromise Notice Procedure Summary and Guide

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Presented by: Jason C. Gavejian Morristown Office

Utah Department of Human Services. Application and Software Review Request. Application Name: Date: Month Day, Year

Altius IT Policy Collection Compliance and Standards Matrix

General Information System Controls Review

Ohio Supercomputer Center

Understanding the Impact of Data Privacy January 2012

Security and Privacy Breach Notification

FOIA Request - EEOC-DIG Investigations that are closed. (202) (phone) (202) (fax)

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

BHBIA New Data Protection Rules. Pharma Company Perspective. Guy Murray Director, Market Research & Analytics, GC&BI MR Operations and Compliance, MSD

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

Privacy Breach Response and Reporting

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

The CPA Exam and Requirements. Adapted and modified from material originally created by David Reinus.

Transcription:

MHBE Compliance Program SECOND QUARTER FY 2019 REPORT TO MHBE BOARD OF TRUSTEES January 22, 2019 Presented by: Caterina Pañgilinan

Audit Status Report Total Audit Findings Open Findings (3) SMART PY17 SMART Employer Sponsored Coverage (4) Independent External Audit PY17 IEA Hierarchy of Denial Reasons (4) Recruitment Evaluation Division FY17 (7) IRS 1075 Safeguards FY17 (9) OLA Finance Performance FY14 FY17* Corrective Actions Implemented Recruitment and Evaluation Minimum Educational Requirements Interview Scoring Assessment Above Base Appointments Validate Education Requirements IRS Safeguards Physical Security Access Log FTI Tape Labeling Exhibit 7 Language FTI Training Disclosure Awareness IRS Background Checks SMART and Independent Audit Periodic Data Matching VLP STEP 3 QHP Enrollment Error Incarceration Status Accrual Process 2

OLA Audits Period FY2014 FY2017* Eligibility Findings Income Verification Corrective Actions Maryland Automated Benefits System Internal Revenue Services Federal Data Services HUB Access Control User Access & Critical Changes Create New User Role Revamp Privileging Process Validate Changes IT Systems Controls Coding Changes & Intrusion Data Protection Systems Enhance Tracking System Increase Layered Security 3

OLA Audits FY2014 FY2017 Findings Corrective Actions Procurement Contract Monitoring Master Contract/IDIQ Approval Solicitation Timeframe/Bid Security Connector Entity Payroll CSC Billing Verification Hosting Monitoring Address Approval of Task Orders >$200k Quantify Technical Evaluations Revise Board Procurement Policy Enhance Competitive Bid Controls Backup Documentation Require SOC 2 Type2 Audits Fiscal Reporting Discussion Note: Report Liabilities to Government Accountability Division (GAD) Contingent Liability 4

30 Non Producer Privacy Incidents FY18 vs. FY19 Dec 25 20 15 10 5 0 Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun FY18 FY19 Privacy Incidents YTD Q2 FY19 102 Reported incidents; 15 Breach notifications Mitigation Strategies FY19 70% Misloads PII Fully Secured within 24 hours of Notification 34.2% Increase in reported incidents from 76 to 102 Misloaded VCLs account for 69% of all Non-Producer Incidents 20% Increase of Misloaded documents 1.78 to 2.10 per 10,000 uploads (66 in 315k uploads) 21% Reduction in avg. days from Misload to report 4.2 to 3.3 12.5% Increase in CSR error rate 1.37 to 1.53 per 100,000 calls (9 in 588k calls) Breach Notifications sent within 10 days on average Implement Standard Encryption of Producer Inboxes Support MDH Incident Investigations and Follow up NEEA with Carriers (KP/HPS/UHC) and Aetna SOC 2 Type 2 Audits Update NEE Compliance Tool Perform Privacy Gap Analysis between HIPAA and ACA 5 5

Privacy Incidents YTD Q2 FY 19 Reporting Entity Breach Causing Entities Incidents by Type 11% 12% 4% 1% 9% 3% 2% 37% 18% 44% 13% 17% 27% 69% 18% 15% Partner Government Agency Partner Government Agency Undetermined Misload Other MHBE Vendor Producer Connector Entity CSR Error MHBE Internally MHBE Vendor Consumer Error Unencrypted email Connector Entity ACSE Unauthorized Disclosure Mail 6

Compliance Hotline and Fraud Waste & Abuse FY19 YTD COMPLIANCE HOTLINE CALLS Department # of Calls Percentage Civil Rights Officer 5 3% Compliance Unit 7 4% Constituent Services 181 94% Grand Total 193 100% 3% 4% Civil Rights Officer Compliance Unit Constituent Services 94% o o o o 12 Allegations 5 Referred to MDH 6 Unfounded 1 Open FY19 YTD Fraud, Waste & Abuse Reports 7

QUESTIONS? THANK YOU! 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback