Leading your HIPAA Compliance Culture in 2016

Leading Your HIPAA
Culture in 2016

Finished files are the re-
sult of years of scientif-
ic study combined with the
experience of many years.

Lance King
Vice President, Sales
Healthcare Compliance Solutions
Phone (801) 947-0183
lking@hcsiinc.com

What
to
expect
Lead Your Culture, Select Your Team, and Learn
✓ Create a Culture of Privacy, Security, and Safety
✓ HIPAA Breach – Identifying a Breach, Exceptions to a Breach
✓ HIPAA Protections – Security Risk Analysis, Social Media
✓ Compliance Training
Document Your Process, Your Findings, and Actions
✓ Documentation
✓ Policies and Procedures
✓ HIPAA Privacy & Security
Develop an Action Plan
✓ Audit Preparation
Mitigating Risk
✓ Ongoing Training & Culture Maintenance

FUNSTAFF ACCOUNTING COMPLIANCEPATIENTS FRONT DESK

Healthcare Compliance (HIPAA, OSHA…)
Insurance
HR
Accounting
Front Desk
Patient Care
Staff Training

Day 1 Day 10 Day 30/90 Dependent on Completion of Fieldwork
AUDIT TIMELINE

5 COMMON CIRCUMSTANCES FOR AN AUDIT
1. Disgruntled ex-employee
2. A self-reported breach
3. Employee activists
4. Patient’s fear of breach
5. Random OCR visit

CREATE A CULTURE OF PRIVACY &
SECURITY
• Communicate
• Guide
• Remind

IDENTIFYING A BREACH
1. Nature and extent of the PHI involved
2. The unauthorized person who used the PHI, or to whom it was
disclosed
3. Whether the PHI was actually viewed or acquired
4. The extent to which the risk to protect the PHI has been mitigated
“…unless the covered entity or business associate, as applicable,
demonstrates that there is a low probability that the protected health
information has been compromised based on a risk assessment of at
least the following factors”:

HIPAA BREACH
• Does your staff know who to go to
for leadership when there is a
HIPAA breach?
• Does your designated HIPAA
compliance officer know all of the
necessary steps to take in breach
notification?
• Does your HIPAA compliance
officer know where to receive
guidance?

EXCEPTIONS TO A BREACH
1.Unintentional
2.Inadvertent
3.Good faith
3 Exceptions to the definition of “breach”

HIPAA PROTECTIONS
• Ensure privacy
• Give patients more access
• Establish safeguards
• Hold violators accountable
• Strike a balance
• Enable patients
• Limit release of information
• Give patients the right to examine and obtain a copy
• Empower individuals to control certain uses and disclosures
Key Components of the HIPAA Privacy Rule:

HIPAA RISK PROTECTIONS
• Physical, Technical, and
Administrative measures
• Internal and External Security
threats
• Assessment of and
preparations for security risks

7 STEPS TO HIPAA COMPLIANCE
1. Understand the rules
2. Assign Responsibility
3. List your PHI systems
4. Conduct a Risk Analysis
5. Implement Policies and Procedures
6. Training program
7. Ongoing HIPAA progress and compliance

SECURITY RISK
• Identify where PHI exists
• Identify potential threats and vulnerabilities
to PHI
• Identify risks and their associated levels of
high, medium, or low

• Educate staff about process
• Make security a high priority
• Have an action plan
• Involve your EHR developer
• Specific to your practice
TIPS FOR A BETTER SECURITY RISK ANALYSIS

10 HIPAA SECURITY TIPS
1. Have A Written Security Policy
2. Encrypt Everything
3. Protect Your Website
4. Data Backups
5. Avoid Consumer Grade
6. Know Your Risks
7. Plan For BYOD
8. Who Is Guarding The Sheep
9. Physical Security Is Information Security
10. Know When To Call For Help

SECURITY RISK PRECAUTIONS
• Staff requests
• Hard drives
• Email
• Server
• Passwords
• Monitoring office staff
• Fire extinguishers
• Viruses and malware
Low-Cost Highly Effective Safeguards:

SOCIAL MEDIA
• Access Controls
• Personal
• Connecting with patients
• Patient waiver forms
• Training
To ensure your office remains in
HIPAA compliance, create policies
such as:

COMPLIANCE TRAINING
•Online
•In-office
•Outsourced

WORKFORCE EDUCATION &
TRAINING
• Hired or contracted
• Yearly retraining
• Changes in policies or procedures
• Changes in systems, location, or
infrastructure
• Responding to breach or disclosure
Educate and train your staff:

Documenting
the Process, the
Findings
& the Actions

DOCUMENTATION
• Policies and procedures
• Security Risk Analysis
• Training materials, and certificates of completion
• Current Business Associate Agreements
• EHR audit logs
• Risk management action plan
• Security incident and breach information
Examples of records to retain:

POLICIES AND PROCEDURES
• Establish protocols
• Training program
• Instruct your workforce
• Sanction policy for violations
• Detail enforcement
• Business Associates

Employee HIPAA Privacy & Security
• Name/ID badges
• Quiet Communication
• PHI access
Guidelines for employees:

Workstation HIPAA Privacy & Security
• Viewing PHI Documents
• Disposing of PHI
• Workstations
• Protect user ID’s and passwords
• Computers not in use
Guidelines for workstations:

Access HIPAA Privacy & Security
•Computer room access
•PHI Back-ups
•Limited office equipment
•Unoccupied Office equipment
Guidelines for access:

Environmental HIPAA Privacy & Security
•Smoke detectors and fire extinguishers
•Computer equipment
•Cyber security
•Emergency Action plan
Guidelines for environment:

• All shapes and sizes
• Across-the-board compliance
• Document in advance
AUDIT PREPARATION

• Risk management plan
• Policies and procedures
• Business Associate agreements
• PHI inventory
• Mobile devices
• Documentation
• Compliance training records
• Evidence of encryption capabilities
Some of the areas the OCR audits will cover include:
AUDIT PREPARATION

ONGOING TRAINING & CULTURE MAINTENANCE
• Patient-provider relationship
• Training on PHI safeguards
• Easy reference of Policies and
Procedures
• Addressing staff
• Re-assessing job functions

Options
Consultant
In-house
Online
_____________________________(-)(+)

What to Expect with HCSI
1. Membership Website Portal
2. Compliance Binders
3. Ongoing Support

Training
(New Employee & Retraining)
• HIPAA Privacy
• HIPAA Security
• OSHA
• Medicare
• Employment Law

Manuals
• Reference Guide
• Compliance Plans
• Certificate Binder

Consultation and Support
• Weekly and Monthly Updates
• Quarterly Newsletter
• Phone and E-mail Support
• Quarterly Assessment

Customizable Forms
• Notice of Privacy Practices
• Business Associate Agreement
• All HIPAA Privacy
• All HIPAA Security
• Gap/Risk Analysis
• HIPAA HITECH Breach Notification
• All OSHA
• All Medicare
• Employment Law
• RAC
• Posters

“Our HIPAA/OSHA compliance was a huge concern in our office, especially
after one of our employees filed a complaint with OSHA.
We started using HCSI 4 years ago and couldn't be happier with the program.
It's simple to set up and easier to use.
Do yourself a favor and sign up, it will make your life easier!”
-Dr. Kody Krause, DDS
Comfort Dental Thompson Valley, CO
Customer Testimonial

“HCSI kept my fanny out of the hoosekow with a cranky (bit
weirdo/psycho) patient who thought we had been naughty in multiple
ways.
Our association with you all made the difference. We passed the
inspection with flying colors and OCR told the "patient" to bug
off!! Loved It!”
-Lee Mecham Thrall, Clinic Administrator
Old Farm Obstetrics & Gynecology, L.L.C
Customer Testimonial

Price Breakdown
• Compliance Officer Training ($250)
• Employee Training ($500)
• Risk Analysis ($250)
• Customized Compliance Plans ($1250)
• Customizable Forms ($100)
• Posters ($100)
• Compliance Updates: E-mail & Newsletters ($50)
• Phone & E-mail Support ($500)

Compliance Officer Training
“Compliance Officer”

Customized Policies & Procedures

Quarterly Assessment Support Calls

Leading your HIPAA Compliance Culture in 2016

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Leading your HIPAA Compliance Culture in 2016

Similar to Leading your HIPAA Compliance Culture in 2016 (20)

Recently uploaded

Recently uploaded (20)

Leading your HIPAA Compliance Culture in 2016