Spurred to action by HITECH, the U.S. Department of Health and Human Services has started to enforce HIPAA regulations through a series of random audits. In 2014 the audits are expected to extend to Business Associates. In this session, attorney Richard Wagner will cover the five crucial steps that Covered Entities and Business Associates alike will need to take now to survive an unexpected audit.
1. 855.85HIPAA
www.compliancygroup.com
Industry leading Education
Certified Partner Program
• Please ask questions
• For todays Slides
http://compliancy-group.com/slides023/
• Todays & Past webinars go to:
http://compliancy-group.com/webinar/
Get Involved.
#cgwebinar
4. Quick Takeaway
The
HIPAA
Audit
program
sounds
scary
Challenge
–
think
of
this
as
an
opportunity
◦ IT/Security/Compliance:
voice
can
be
heard
◦ Providers:
beHer
serve
your
paIents
in
an
increasingly
unsecure
environment
Overall
theme:
tackle
the
priority
items,
then
move
onto
the
other
issues
5. Agenda
HIPAA
Audit
Program
Overview
Pilot
Program
Results
and
Discussion
Five
Steps
to
Surviving
an
Audit
QuesIons
6. The HIPAA Audit Program
Enacted
into
law
in
2009
(ARRA/HITECH)
Designed
to
combat
ex
post
enforcement
HHS’
Office
of
Civil
Rights
(OCR)
oversees
program,
but
most
work
contracted
out
to
consultants
Two
pilot
programs
(2012
and
2013)
Permanent
rollout
in
2014
7. Pilot: 2012-‐2013
Caveat:
designed/implemented
before
Omnibus
Rule
◦ Covered
EnIIes
only,
no
Business
Associates
◦ Used
old
breach
analysis,
etc.
OCR
findings
◦ Many
issues,
even
intenIonal
misrepresentaIons
◦ Small
providers
had
the
most
difficulty
◦ Security
flaws
dominated
findings
12. Points of Emphasis: Security Rule
Risk
assessment,
risk
assessment,
and
risk
assessment
Mobile
device
security
◦ Data
in
moIon
◦ Data
at
rest
Security
incident
procedures
◦ Ever
more
important
a`er
HIPAA
Omnibus
RegulaIons
went
into
effect
14. Step #1 – OrganizaOon
IniIal
document
request
period:
10
days
from
the
postmarked
audit
leHer
Done
by
design:
tesIng
your
response
Ime
Following
this
step
also
allows
you
to
assess
your
documentaIon
gaps
Update
old
documents
Establishing
an
audit
trail
16. Step #2 – Security Risk Assessment
The
most
important
document
you
need
for
HIPAA
compliance
◦ Stressed
by
OCR
and
the
HIPAA
Audit
process
◦ Also
has
great
pracIcal
value
–
a
risk
assessment
is
foundaIonal
to
proper
risk
management
Does
not
have
to
be
daunIng
–
scalable
according
to
size
What
you
need
to
assess
◦ PotenIal
risks
and
vulnerabiliIes
to
the
confidenIality,
integrity,
and
availability
of
ePHI
Other
Ips
17. Step #3 – Plugging the PHI Holes
Risk
management
–
comes
on
the
heels
of
your
risk
assessment
Document
everything
◦ Remember,
the
goal
is
to
establish
an
audit
trail
PrioriIze
risk
miIgaIon
acIons
18. Step #4 – Business Associate Agreements
Update
your
BAA
to
reflect
Omnibus
changes
◦ The
changes
aren’t
drasIc,
but
they
need
to
be
in
there
Make
sure
all
vendors
are
under
an
agreement
◦ BAA
terms
and
complexity
needed
can
vary
from
provider
to
provider
◦ Consult
your
aHorney
if
necessary
Get
subcontractor
assurances
Related
–
vendor
management
procedures
19. Step #5 – Training
Point
of
emphasis
in
the
audits,
so
documentaIon
is
criIcal
Don’t
limit
yourself
to
HIPAA
training
◦ Security
awareness
should
be
included
as
well
Use
the
training
as
an
opportunity
to
gain
informaIon
20. Conclusions
Audits
signal
a
major
change
in
enforcement
As
worrisome
as
this
might
sound,
this
can
be
viewed
as
an
opportunity
Risk
assessment:
the
foundaIon
The
more
documentaIon,
the
beHer
22. Free
Demo
and
60
Day
Evaluation
www.compliancy-‐group.com
855.85
HIPAA
(855.854.4722)
The Guard:
One Simple, cost effective Compliance Tracking Solution that satisfies HIPAA, HITECH
Risk Assessment, and Omnibus Compliance
• Reduces Risk & Liability
• Differentiates you from the competition
• Retain Clients/Patients
• Improve Revenue