2. 855.85HIPAA
www.compliancygroup.com 2Copyright 2007-2015
HIPAA compliance
• Mandatory for 7,000,0000 Covered Entities (CE) & Business
Associates (BA)
• 70% of the market is NOT compliant!
HITECH/EHR incentive requires:
• Stage 1. Risk Assessment for Meaningful Use Core Measure 15
• Stage 2. Illustrate corrective actions
Omnibus Rule
• Compliance date was September 2013
• Requires CEs/BAs to be HIPAA compliant
• CE must have (BAAs) Business Associate Agreements
HIPAA Compliance
3. 855.85HIPAA
www.compliancygroup.com 3Copyright 2007-2015
• Only Covered Entities were audited
• ONLY 11% had no findings/observations
• 98% of health care providers had at least one
negative finding
• Small-sized Covered Entities struggled with all three
HIPAA Standards
Phase 1 Audit Results
4. 855.85HIPAA
www.compliancygroup.com 4Copyright 2007-2015
• BOTH Covered Entities and Business Associates will
be audited
• OCR (Office of Civil Rights) audit request sent 2
weeks prior to audit
• Stricter audit protocols
Phase 2 Audits
5. 855.85HIPAA
www.compliancygroup.com 5Copyright 2007-2015
• Risk Assessment must be completed or updated
within the last 12 months
• Deficiencies discovered during Risk Assessment must
be addressed or have a reasonable timeline
• Updated policies and procedures
• HIPAA training for Employees
• Required annually or as changes are made to policies/
procedures
Audit Preparation
6. 855.85HIPAA
www.compliancygroup.com 6Copyright 2007-2015
• Updated database of Business Associates
• BAAs, must reflect Omnibus changes
• Inventory of IT devices with access to ePHI
• Proper and reasonable safeguards for PHI that exists
in any form, paper or electronic
• Review your compliance plan
Audit Preparation (continued)
7. 855.85HIPAA
www.compliancygroup.com 7Copyright 2007-2015
• “HHS and OCR aren't interested in my practice.”
• “It’s really hard, complicated and I am better off ignoring it.”
• “HIPAA is just that form we have patients sign – That’s
enough.”
• “All I need is a Risk Assessment.”
HIPAA Misconceptions
8. 855.85HIPAA
www.compliancygroup.com 8Copyright 2007-2015
Step 1. Assess where you are against the regulation (GAP)
• The key to a risk analysis is auditing yourself against
the administrative, technical, and physical aspects of HIPAA
• A risk analysis will help you attest to Meaningful Use Stage 1 Core
Requirement 15
Step 2. Remediation Plan
• Prove that you remediated the deficiencies identified in the risk
analysis
• Policies & Procedures, Training, and Attestation
Compliance Plan
9. 855.85HIPAA
www.compliancygroup.com 9Copyright 2007-2015
Step 3. How do you prove it? Successful compliance
plans address:
• Administration and Technical
• Policies and Procedures
• IT security
• Devices installed and maintained within your organization
• Physical
• Security within physical locations of your practice(s)
(Meaningful Use Stage 2 Core Requirement 9 requires remediation
of found deficiencies during the risk analysis to be documented
and completed)
Step 4. Maintain your compliance
• As the regulations, staff, and practice changes