http://hcsiinc.com
Breaches happen every day! Why not prevent having a breach turn into a 90 day audit? This presentation helps you develop your HIPAA Privacy and HIPAA Security program.
If interested in help, many companies are a hit and run operation. From day one and every quarter of the year, HCSI guides the compliance representative through the HIPAA process of preparing for an audit. The practice will have everything an auditor would need, resulting in the audit taking minutes instead of days.
6. What
to
expect
Lead Your Culture, Select Your Team, and Learn
✓ Create a Culture of Privacy, Security, and Safety
✓ HIPAA Breach – Identifying a Breach, Exceptions to a Breach
✓ HIPAA Protections – Security Risk Analysis, Social Media
✓ Compliance Training
Document Your Process, Your Findings, and Actions
✓ Documentation
✓ Policies and Procedures
✓ HIPAA Privacy & Security
Develop an Action Plan
✓ Audit Preparation
Mitigating Risk
✓ Ongoing Training & Culture Maintenance
13. Day 1 Day 10 Day 30/90 Dependent on Completion of Fieldwork
AUDIT TIMELINE
14. 5 COMMON CIRCUMSTANCES FOR AN AUDIT
1. Disgruntled ex-employee
2. A self-reported breach
3. Employee activists
4. Patient’s fear of breach
5. Random OCR visit
18. CREATE A CULTURE OF PRIVACY &
SECURITY
• Communicate
• Guide
• Remind
19. IDENTIFYING A BREACH
1. Nature and extent of the PHI involved
2. The unauthorized person who used the PHI, or to whom it was
disclosed
3. Whether the PHI was actually viewed or acquired
4. The extent to which the risk to protect the PHI has been mitigated
“…unless the covered entity or business associate, as applicable,
demonstrates that there is a low probability that the protected health
information has been compromised based on a risk assessment of at
least the following factors”:
20. HIPAA BREACH
• Does your staff know who to go to
for leadership when there is a
HIPAA breach?
• Does your designated HIPAA
compliance officer know all of the
necessary steps to take in breach
notification?
• Does your HIPAA compliance
officer know where to receive
guidance?
21. EXCEPTIONS TO A BREACH
1.Unintentional
2.Inadvertent
3.Good faith
3 Exceptions to the definition of “breach”
22. HIPAA PROTECTIONS
• Ensure privacy
• Give patients more access
• Establish safeguards
• Hold violators accountable
• Strike a balance
• Enable patients
• Limit release of information
• Give patients the right to examine and obtain a copy
• Empower individuals to control certain uses and disclosures
Key Components of the HIPAA Privacy Rule:
23. HIPAA RISK PROTECTIONS
• Physical, Technical, and
Administrative measures
• Internal and External Security
threats
• Assessment of and
preparations for security risks
24. 7 STEPS TO HIPAA COMPLIANCE
1. Understand the rules
2. Assign Responsibility
3. List your PHI systems
4. Conduct a Risk Analysis
5. Implement Policies and Procedures
6. Training program
7. Ongoing HIPAA progress and compliance
25. SECURITY RISK
• Identify where PHI exists
• Identify potential threats and vulnerabilities
to PHI
• Identify risks and their associated levels of
high, medium, or low
26. • Educate staff about process
• Make security a high priority
• Have an action plan
• Involve your EHR developer
• Specific to your practice
TIPS FOR A BETTER SECURITY RISK ANALYSIS
27. 10 HIPAA SECURITY TIPS
1. Have A Written Security Policy
2. Encrypt Everything
3. Protect Your Website
4. Data Backups
5. Avoid Consumer Grade
6. Know Your Risks
7. Plan For BYOD
8. Who Is Guarding The Sheep
9. Physical Security Is Information Security
10. Know When To Call For Help
28. SECURITY RISK PRECAUTIONS
• Staff requests
• Hard drives
• Email
• Server
• Passwords
• Monitoring office staff
• Fire extinguishers
• Viruses and malware
Low-Cost Highly Effective Safeguards:
29. SOCIAL MEDIA
• Access Controls
• Personal
• Connecting with patients
• Patient waiver forms
• Training
To ensure your office remains in
HIPAA compliance, create policies
such as:
31. WORKFORCE EDUCATION &
TRAINING
• Hired or contracted
• Yearly retraining
• Changes in policies or procedures
• Changes in systems, location, or
infrastructure
• Responding to breach or disclosure
Educate and train your staff:
33. DOCUMENTATION
• Policies and procedures
• Security Risk Analysis
• Training materials, and certificates of completion
• Current Business Associate Agreements
• EHR audit logs
• Risk management action plan
• Security incident and breach information
Examples of records to retain:
34. POLICIES AND PROCEDURES
• Establish protocols
• Training program
• Instruct your workforce
• Sanction policy for violations
• Detail enforcement
• Business Associates
35. Employee HIPAA Privacy & Security
• Name/ID badges
• Quiet Communication
• PHI access
Guidelines for employees:
36. Workstation HIPAA Privacy & Security
• Viewing PHI Documents
• Disposing of PHI
• Workstations
• Protect user ID’s and passwords
• Computers not in use
Guidelines for workstations:
40. • All shapes and sizes
• Across-the-board compliance
• Document in advance
AUDIT PREPARATION
41. • Risk management plan
• Policies and procedures
• Business Associate agreements
• PHI inventory
• Mobile devices
• Documentation
• Compliance training records
• Evidence of encryption capabilities
Some of the areas the OCR audits will cover include:
AUDIT PREPARATION
52. Consultation and Support
• Weekly and Monthly Updates
• Quarterly Newsletter
• Phone and E-mail Support
• Quarterly Assessment
53. Customizable Forms
• Notice of Privacy Practices
• Business Associate Agreement
• All HIPAA Privacy
• All HIPAA Security
• Gap/Risk Analysis
• HIPAA HITECH Breach Notification
• All OSHA
• All Medicare
• Employment Law
• RAC
• Posters
54. “Our HIPAA/OSHA compliance was a huge concern in our office, especially
after one of our employees filed a complaint with OSHA.
We started using HCSI 4 years ago and couldn't be happier with the program.
It's simple to set up and easier to use.
Do yourself a favor and sign up, it will make your life easier!”
-Dr. Kody Krause, DDS
Comfort Dental Thompson Valley, CO
Customer Testimonial
55. “HCSI kept my fanny out of the hoosekow with a cranky (bit
weirdo/psycho) patient who thought we had been naughty in multiple
ways.
Our association with you all made the difference. We passed the
inspection with flying colors and OCR told the "patient" to bug
off!! Loved It!”
-Lee Mecham Thrall, Clinic Administrator
Old Farm Obstetrics & Gynecology, L.L.C
Customer Testimonial