HIPAA ( ) HIPAA 2017 Compliancy Group, LLC

Similar documents
The Relationship Between HIPAA Compliance and Business Associates

HIPAA 101: What All Doctors NEED To Know

HIPAA Audit Don t just bet the odds Good luck is a residue of preparation. Jack Youngblood

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

All Aboard the HIPAA Omnibus An Auditor s Perspective

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

Agenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute

A HIPAA Compliance and Enforcement Update from the HHS Office for Civil Rights Session #24, 10:00 a.m. 11:00 a.m. March 6, 2018 Roger Severino, MSPP,

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

HIPAA 2017 Compliancy Group, LLC

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

HIPAA Compliance Officer Training By HITECH Compliance Associates. Building a Culture of Compliance

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

HIPAA & Privacy Compliance Update

HIPAA-HITECH: Privacy & Security Updates for 2015

HIPAA Security. An Ounce of Prevention is Worth a Pound of Cure

HIPAA Privacy, Security and Breach Notification

HIPAA/HITECH Act Update HCCA South Central Regional Annual Conference December 2, Looking Back at 2011

Boerner Consulting, LLC Reinhart Boerner Van Deuren s.c.

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

HIPAA Privacy, Security Lessons from 2016 and What's Next in 2017

The HIPAA Omnibus Rule

Policy and Procedure: SDM Guidance for HIPAA Business Associates

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

HIPAA Security and Privacy Policies & Procedures


HIPAA & IT THE HIPAA SECURITY RULE AND THE ROLE OF THE IT PROFESSIONAL DOES YOUR IT PROVIDER UNDERSTAND THEIR ROLE AND ARE THEY COMPLIANT?

CYBERSECURITY. Recent OCR Actions & Cyber Awareness Newsletters. Claire C. Rosston

HIPAA and HIPAA Compliance with PHI/PII in Research

HIPAA Cloud Computing Guidance

HIPAA Tips and Advice for Your. Medical Practice

The ABCs of HIPAA Security

Putting It All Together:

What s New with HIPAA? Policy and Enforcement Update

Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Pilot Audits

HIPAA Privacy, Security and Breach Notification 2017

Incident Response: Are You Ready?

(c) Apgar & Associates, LLC

HIPAA Compliance and Auditing in the Public Cloud

Into the Breach: Breach Notification Requirements in the Wake of the HIPAA Omnibus Rule

HIPAA Privacy and Security Training Program

Privacy Update: OCR HIPAA Phase 2 Audits: What to expect & How to prepare

Breach Notification Remember State Law

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Technology Workshop HIPAA Security Risk Assessment: What s Next? January 9, 2014

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

David C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

NE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

HIPAA Privacy, Security and Breach Notification 2018

Cloud Communications for Healthcare

HIPAA Federal Security Rule H I P A A

ENCRYPTION: ADDRESSABLE OR A DE FACTO REQUIREMENT?

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer

HIPAA/HITECH Privacy & Security Checklist Assessment HIPAA PRIVACY RULE

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

IT Security in a Meaningful Use Era C&SO HIMSS Meeting

Best Practices in HIPAA Security Risk Assessments

Hospital Council of Western Pennsylvania. June 21, 2012

HIPAA and Research Contracts JILL RAINES, ASSISTANT GENERAL COUNSEL AND UNIVERSITY PRIVACY OFFICIAL

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

The simplified guide to. HIPAA compliance

Securing IT Infrastructure Improve information exchange and comply with HIPAA, HITECH, and ACA mandates

HIPAA Comes of Age: 21 Years of Privacy and Security

When the Other Brother Steps Up: State Privacy Enforcement Actions

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE

DAVID J BEHINFAR, JD., LLM., CHC, CHRC, CCEP, HCISPP, CIPP/US P23: AN EFFECTIVE PRIVACY PROGRAM BUILT THROUGH STRATEGIC VISION AND LEADERSHIP SUPPORT

Security and Privacy-Aware Cyber-Physical Systems: Legal Considerations. Christopher S. Yoo University of Pennsylvania July 12, 2018

PATRICK ROUGEAU MARC HASKELSON

A Panel Discussion. Nancy Davis

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

Security and Privacy Breach Notification

HIPAA Security & Privacy

DON T GET STUNG BY A BREACH! WHAT'S NEW IN HIPAA PRIVACY AND SECURITY

HIPAA For Assisted Living WALA iii

HCISPP HealthCare Information Security and Privacy Practitioner

A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud

3/24/2014. Agenda & Objectives. HIPAA Security Rule. Compliance Institute. Background and Regulatory Overlay. OCR Statistics/

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Abbie Miller, MCS-P. Ongoing Internal Auditing. Documentation Reviews 5/16/2015.

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

PULSE TAKING THE PHYSICIAN S

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

HIPAA FOR BROKERS. revised 10/17

Horizon Health Care, Inc.

HIPAA Security Checklist

HIPAA Security Checklist

Audits Accounting of disclosures

SO YOU RE BUILDING A HIPAA-COMPLIANT APP...

HIPAA Faux Pas. Lauren Gluck Physician s Computer Company User s Conference 2016

Latest Legal Threat for Providers Protecting Private Information in Text Messages, s and Other Electronic Transmissions

Security and Privacy Governance Program Guidelines

Transcription:

855 85 HIPAA (855-854-4722) www.compliancygroup.com 1

Started in 2005 by HIPAA auditors & Compliance experts Market need for a total end client solution Created The Guard: cloud-based solution Compliance is our business No client has ever failed an OCR or CMS audit! 100% of our clients would refer us to a friend Recognized Leader of Compliance Top Compliance Tools & Emerging Vendor Endorsed by AOAExcel, PERC, Vision Trends, idoc, First Eye Care imatrix, Ocuco, Coherent Eye, Eyetopia Plus 40 other medical associations and technology providers hosting, EHR, IT, Security Compliancy Group We simplify compliance so you can confidently focus on your business. 2

HHS Wall of Shame Based on HHS Breach Portal: Breaches Affecting 500 or More Individuals, Type of Breach https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf 3

Are YOU HIPAA Compliant? 4

Risk Assessments I had an expensive Security Risk Assessment done Am I HIPAA compliant? 5

Policies & Procedures I have a Manual, I am compliant right? 6

Workforce Training I paid for my employees HIPAA training, I am compliant. * Cost for 10 employee practice 7

Why Should I Worry About HIPAA? HIPAA is the Law Current market solutions often only address pieces of compliance Enforcement is on the rise é 400% Record fines levied: $9.3 Million in 2014 $6.2 Million in 2015 $24 Million in 2016 $16.7 Million so far in 2017* Three prison sentences Medical license revoked State Attorney General levying fines Audits All too often SRA we (Security see covered Risk entities with a limited Assessment) risk analysis? Organizations must have in place? compliant business associate? agreements as well as an accurate and thorough risk analysis We take seriously all complaints filed by individuals, and will seek the necessary remedies to ensure that patients? Policies, privacy is fully protected. Procedures & Training - Jocelyn Samuels, Director of OCR? http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html 8

Avoidable Breach Who: Anchorage Community Mental Health Services (ACMHS) - Nonprofit org. (Alaska) What: Malware caused breach of unsecured ephi Why: Audits Policies & Procedures Training Settlement: $150,000 & CAP (Corrective Action Plan) 9

Important Definitions Covered Entity (CE): Health care providers, health plans, health care clearinghouses who electronically transmit any Protected Health Information (PHI) Business Associate (BA): Any individual or organization that creates, receives, maintains or transmits PHI on behalf of a Covered Entity (CE) Subcontractor: Create, receive, maintain or transmit PHI on behalf of a BA 10

What Information Does HIPAA Protect? PHI may include any of the following: Names Addresses Dates of Service Telephone Numbers Fax Numbers Email Addresses Social Security Numbers Medical Record Numbers Health Plan Beneficiary Numbers Account Numbers Certificate/License Numbers Vehicle identifiers/serial Numbers Device identifiers and serial numbers Web Universal Resource Locators (URLs) Internet Protocol (IP) address numbers; Biometric identifiers Full Face Photos or Videos Any other unique identifying number, characteristic, or code 11

What is HIPAA Compliance and what is NOT Compliance vs. Security Fines vs. Risk HIPAA/HITECH Protect patient confidentiality while furthering innovation and patient care Privacy Rule and Security Rule Omnibus Business Associates must be HIPAA compliant Covered Entities must have BAAs Conduct Due Diligence Breach Notification Rule Meaningful Use Accelerate adoption of EHR (electronic Health records) HIPAA OMNIBUS Meaningful Use 12

Compliance vs. Security Audits Security, Privacy, and Administrative Gap Identification Remediation Policies & Procedures Employee Training & Attestation Business Associate Management BA Agreements & Audit Incident Management Security Risk Assessment Security Risk Analysis Penetration Testing Remediation Vulnerability Scan Prevention System Hardening Detection Behavioral monitoring Network Security Monitoring FINES REPUTATION RISK 13

Privacy Rule Sets standards for when protected health information (PHI) may be used and disclosed. Security Rule Requires safeguards to ensure only those who should have access to electronic protected health information (ephi) will have access. Breach Notification Rule Breaches of unsecured PHI require notifying HHS, affected individuals, and in some cases the media. Security Audit Privacy Audit Administrative Audit Meaningful Use Risk Assessment 14

Business Associates: Direct liability by function Directly liable for violations Omnibus Rule Must be HIPAA Compliant (Security Rule) Technical, Administrative, & Physical Safeguards Covered Entities: Compliance with Privacy Rule Must have BAAs (Business Associate Agreements) Conduct Due Diligence for the CE Contracting with subcontractors BA liability flows to all subcontractors 15

The Seven Fundamental Elements of an Effective Compliance Program Compliance according to HHS: 1. Implementing written policies, procedures and standards of conduct. 2. Designating a compliance officer and compliance committee. 3. Conducting effective training and education. 4. Developing effective lines of communication. 5. Conducting internal monitoring and auditing. 6. Enforcing standards through well-publicized disciplinary guidelines. 7. Responding promptly to detected offenses and undertaking corrective action. *Source HHS & OIG 16

Causes Of A HIPAA Audit Business Associates Phase 2 Random Meaningful Use Failure Breach Notification Low?% Medium Audit Risk-O-Meter High Reported Whistleblower Complaint 17

The Process Of An Audit Desk Audit Request for Gap and Remediation Report On Site Audit Review of all 7 Elements of Effective Compliance Corrective Action Plan Results Fines 18

Penalties 19

The Need For BAAs Who: Raleigh Orthopaedic (North Carolina) What/Why: 17,300 patients affected Handed over PHI to potential business partner without first executing a business associate agreement. Settlement: $750,000 & CAP (4/20/16) HIPAA s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise, said Jocelyn Samuels, Director of OCR. It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected. http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/raleigh-orthopaedic-clinic-bulletin/index.html 20

$31,000 Mistake Who: The Center for Children s Digestive Health (CCDH), small pediatric practice What: Investigation of a BA (Filefax) Why: Caused by OCR investigating improper disposal of PHI by Filefax; Subsequent investigation detected lack of BAA with CCDH Settlement: $31,000 & CAP (4/20/17) https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/ccdh/index.html 21

But It Probably Won t Happen To Me In a recent study, more than half of business associates (59%) reported a data breach in the last two years that involved the loss or theft of patient data. More than a quarter (29%) experienced two breaches or more. Of the 345 incidents reported by HHS and listed on their site under Breaches Affecting 500 or More Individuals, 74 involved a business associate (21%). Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data conducted by Ponemon Institute http://media.scmagazine.com/documents/121/healthcare_privacy_security_be_30019.pdf 22

Lack of Timely Breach Notification = $475k Who: Presence Health What/Why: 836 patients affected Breach: missing paper operating room schedules Failed to notify within 60 days each of the 836 individuals affected Failed to notify OCR within 60 days Settlement: $475,000 & CAP (1/9/17) Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule s timeliness requirements said OCR Director Jocelyn Samuels. Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach. https://www.hhs.gov/about/news/2017/01/09/first-hipaa-enforcement-action-lack-timely-breach-notification-settles-475000.html 23

Solving The HIPAA Compliance Puzzle Incident Management & Remediation Audits SRA (Security Risk Assessment), Administrative, Privacy Remediation Plans Business Associate Management Document Version, Employee Attestation & Tracking Policies, Procedures & Training 24

Compliancy Group We simplify compliance so you can confidently focus on your business. The Guard Total HIPAA compliance Solution Simple & Cost-Effective Achieve, Illustrate and Maintain TM methodology No client has ever Failed an Audit! Compliance Support Incident Management & Remediation Audits SRA (Security Risk Assessment), Administrative, Privacy Remediation Plans Compliance Coaches HIPAA Hotline, Email, chat or call Breach Support & Audit Support Seal of Compliance Verification and Validation of your HIPAA compliance Vision Trend Members 3 Months Free Business Associate Management The Guard TM Document Version, Employee Attestation & Tracking Policies, Procedures & Training 25

Questions? Need Help with Compliance? Marc Haskelson President & CEO 855-854-4722 Ext 507 Marc@compliancygroup.com 855 85 HIPAA Ext 517 (855-854-4722) Ext 517 www.compliancygroup.com info@compliancygroup.com 26

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback