Surviving a HIPAA Audit: Five Crucial Steps

374 views

Published on

Spurred to action by HITECH, the U.S. Department of Health and Human Services has started to enforce HIPAA regulations through a series of random audits. In 2014 the audits are expected to extend to Business Associates. In this session, attorney Richard Wagner will cover the five crucial steps that Covered Entities and Business Associates alike will need to take now to survive an unexpected audit.

Published in: Health & Medicine
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
374
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Surviving a HIPAA Audit: Five Crucial Steps

  1. 1. 855.85HIPAA   www.compliancygroup.com   Industry leading Education Certified Partner Program •  Please ask questions •  For todays Slides http://compliancy-group.com/slides023/ •  Todays & Past webinars go to: http://compliancy-group.com/webinar/ Get Involved. #cgwebinar
  2. 2. Surviving  a  HIPAA  Audit:   Five  Crucial  Steps RICHARD  WAGNER  
  3. 3. Quick  Poll  #1
  4. 4. Quick  Takeaway   The  HIPAA  Audit  program  sounds  scary     Challenge  –  think  of  this  as  an  opportunity   ◦  IT/Security/Compliance:  voice  can  be  heard   ◦  Providers:  beHer  serve  your  paIents  in  an  increasingly  unsecure  environment     Overall  theme:  tackle  the  priority  items,  then  move  onto  the  other  issues  
  5. 5. Agenda HIPAA  Audit  Program  Overview   Pilot  Program  Results  and  Discussion   Five  Steps  to  Surviving  an  Audit   QuesIons  
  6. 6. The  HIPAA  Audit  Program   Enacted  into  law  in  2009  (ARRA/HITECH)     Designed  to  combat  ex  post  enforcement     HHS’  Office  of  Civil  Rights  (OCR)  oversees  program,  but  most  work  contracted  out  to  consultants     Two  pilot  programs  (2012  and  2013)     Permanent  rollout  in  2014  
  7. 7. Pilot:  2012-­‐2013   Caveat:  designed/implemented  before  Omnibus  Rule   ◦  Covered  EnIIes  only,  no  Business  Associates   ◦  Used  old  breach  analysis,  etc.     OCR  findings   ◦  Many  issues,  even  intenIonal  misrepresentaIons   ◦  Small  providers  had  the  most  difficulty   ◦  Security  flaws  dominated  findings  
  8. 8. Pilot  Findings
  9. 9. Privacy  Rule  Findings
  10. 10. Security  Rule  Problems
  11. 11. Points  of  Emphasis:  Privacy  Rule   Policies  and  procedures     Minimum  Use  
  12. 12. Points  of  Emphasis:  Security  Rule   Risk  assessment,  risk  assessment,  and  risk  assessment     Mobile  device  security   ◦  Data  in  moIon   ◦  Data  at  rest     Security  incident  procedures   ◦  Ever  more  important  a`er  HIPAA  Omnibus  RegulaIons  went  into  effect  
  13. 13. HIPAA  Audit  Survival THE  FIVE  STEPS
  14. 14. Step  #1  –  OrganizaOon   IniIal  document  request  period:  10  days  from  the  postmarked  audit  leHer     Done  by  design:  tesIng  your  response  Ime     Following  this  step  also  allows  you  to  assess  your  documentaIon  gaps     Update  old  documents     Establishing  an  audit  trail  
  15. 15. Quick  Poll  #2
  16. 16. Step  #2  –  Security  Risk  Assessment   The  most  important  document  you  need  for  HIPAA  compliance   ◦  Stressed  by  OCR  and  the  HIPAA  Audit  process   ◦  Also  has  great  pracIcal  value  –  a  risk  assessment  is  foundaIonal  to  proper  risk  management     Does  not  have  to  be  daunIng  –  scalable  according  to  size     What  you  need  to  assess   ◦  PotenIal  risks  and  vulnerabiliIes  to  the  confidenIality,  integrity,  and  availability  of  ePHI     Other  Ips  
  17. 17. Step  #3  –  Plugging  the  PHI  Holes   Risk  management  –  comes  on  the  heels  of  your  risk  assessment     Document  everything   ◦  Remember,  the  goal  is  to  establish  an  audit  trail     PrioriIze  risk  miIgaIon  acIons  
  18. 18. Step  #4  –  Business  Associate  Agreements   Update  your  BAA  to  reflect  Omnibus  changes   ◦  The  changes  aren’t  drasIc,  but  they  need  to  be  in  there     Make  sure  all  vendors  are  under  an  agreement   ◦  BAA  terms  and  complexity  needed  can  vary  from  provider  to  provider   ◦  Consult  your  aHorney  if  necessary     Get  subcontractor  assurances     Related  –  vendor  management  procedures  
  19. 19. Step  #5  –  Training   Point  of  emphasis  in  the  audits,  so  documentaIon  is  criIcal     Don’t  limit  yourself  to  HIPAA  training   ◦  Security  awareness  should  be  included  as  well     Use  the  training  as  an  opportunity  to  gain  informaIon  
  20. 20. Conclusions   Audits  signal  a  major  change  in  enforcement     As  worrisome  as  this  might  sound,  this  can  be  viewed  as  an  opportunity     Risk  assessment:  the  foundaIon     The  more  documentaIon,  the  beHer  
  21. 21. QuesOons   Richard  Wagner     richard@qliqso`.com  
  22. 22. Free  Demo  and  60  Day  Evaluation   www.compliancy-­‐group.com     855.85  HIPAA  (855.854.4722)   The Guard: One Simple, cost effective Compliance Tracking Solution that satisfies HIPAA, HITECH Risk Assessment, and Omnibus Compliance •  Reduces Risk & Liability •  Differentiates you from the competition •  Retain Clients/Patients •  Improve Revenue

×