SlideShare a Scribd company logo

HIPAA Training: Privacy Review and Audit Survival Guide

Download as PPTX, PDF
benefitexpress
benefitexpress

HIPAA Privacy Overview for Employers. Review a helpful checklist of requirements an employer must adopt to stay compliant with HIPAA and to survive an audit by Health and Human Services (HHS).

Recruiting & HR
1 of 68
© benefitexpress 2016 HIPAA Privacy For Employers
© benefitexpress 2016 General Requirements “Health plans are required to protect and safeguard a participant’s or covered dependent’s personal health information (PHI) from impermissible use or disclosure and they must obtain a patient’s content for certain uses and disclosures.” • What is required to protect information? • What information is protected? • What steps must a health plan and the employer do to comply? 2
© benefitexpress 2016 What is Required? Health plans must: • Establish written policies and procedures to protect PHI • Protect and safeguard a participant’s or covered dependent’s personal health information (PHI) • Obtain participant’s or covered dependent’s written permission for certain uses of PHI • Notify a participant and/or covered participant of policies of disclosure and use of PHI • Report impermissible use or disclosure of PHI • Allow a participant and/or covered dependent to inspect or copy his or her PHI • Use and disclose only the “minimum necessary” health information • Enter into Business Associate Agreements 3
© benefitexpress 2016 What is Protected Health Information (PHI)? • All medical records and other individually identifiable health information held or disclosed by a health plans in any form, whether communicated electronically, on paper or orally • Health plans may release PHI to employers without authorization in very limited circumstances • Three conditions must be met:  Provider must provide service at the request of employer or as an employee,  Service provided must relate to medical surveillance of workplace or an evaluation to determine individual has workplace injuries or illness, and  Employer must have legal requirement under state or federal law to keep records 4
© benefitexpress 2016 What are the Plan Sponsor’s Obligations? • Group health plans do not need to obtain a participant’s or a covered dependents consent to release information for the administration of the plan • Plan sponsor’s obligation depends on whether it receives protected health information, summary health information or no health information • Obligations, if it receive only summary health information • Required plan amendments • Obligations, if it receives protected health information 5
© benefitexpress 2016 What documents are needed to comply? • HIPAA Privacy Policy • HIPAA Privacy Use and Disclosures • Notice of Privacy Practices • Business Associate Contracts • Authorization for Release of Information • Amendment to Health Plan Document • Amendment to Health Plan SPD • Plan Sponsor Certification to Health Plan 6
© benefitexpress 2016 What documents are needed to comply? • Request to inspect or copy PHI • Request to amend or correct PHI • Request for Accounting of Disclosures of PHI • Request for restrictions on Use or Disclosure of PHI Documents for Implementing Individual Rights 7
© benefitexpress 2016 Consent Issues – Introduction • as required in accordance with an individual’s right to access PHI; • for covered functions (i.e., treatment, payment, or health care operations); • with respect to specific types of information after the opportunity to agree or object; • pursuant to an individual’s authorization; and • as required or permitted under HIPAA’s public policy exceptions and a limited data set may be disclosed when certain requirements are met Health plans are allowed to use or disclose PHI in the following circumstances: 8
© benefitexpress 2016 For Treatment, Payment, and Health Care Operations • For its own treatment, payment, and health care operations; • For the treatment activities of another health care provider; • To another covered entity for the payment activities of the entity receiving the information; and • To another covered entity for certain health care operations activities of the entity that receives the information if each entity has (or had) a relationship with the individual who is the subject of the PHI, the PHI pertains to such relationship, and the purpose of the disclosure is one of those listed in the regulations A health plan may use and disclose PHI without authorization: 9
© benefitexpress 2016 Requiring an Opportunity to Agree or Object The health plan may use and disclose PHI if individual has had opportunity to, prohibit the disclosure of such information in advance regarding to: • Disclosures of limited types of information to family members or close personal friends of the individual for care, payment for care, notification, and disaster relief purposes; and • Uses and disclosures of limited types of information for facility directory purposes (generally not applicable to health plans) • Exceptions 10
© benefitexpress 2016 Requiring Individual Authorizations Individual authorizations are required whenever the use or disclosure is not permitted under privacy rules. May request authorization for another entity for: • Any purpose • But especially, before sending any marketing material 11
© benefitexpress 2016 Without Individual Authorization • If required by law • To certain designated public agencies, individuals and the employer • Regarding an individual if a victim of designated abuse and certain other conditions are met • To a health oversight agency • In response to certain court proceedings • To a law enforcement officials if certain conditions are met • To a coroner or medical examiner of ID purposes • To organ procurement organizations for transplant purposes • To prevent health threat • For certain specified government purposes • To comply with Worker‘s Compensation purposes Health plans may disclose PHI without authorization: 12
© benefitexpress 2016 For Health Plan Underwriting • Underwriting and placement of health coverage is a permissive health coverage operation • Sharing PHI with other covered entities for other purposes limited. • Authorizations may be necessary in some situations 13
© benefitexpress 2016 Personal Representative, Minors, & Spouses • Covered entities must recognize a personal representative’s authority and provide information within that authority • But certain exceptions do apply • Parent’s authority • Spouse’s authority 14
© benefitexpress 2016 Privacy Policy and Procedures Health plans must establish policies and procedures with respect to PHI that complies with: • HIPAA standards • Implementation specifications • Other requirements What is Required? 15
© benefitexpress 2016 Privacy Notices Who is required to provide notices? • Covered Entities (Health Plan) What must the notices describe? • Uses and disclosures of PHI that may be made by the covered entity • Individual’s rights • Health plan’s legal duties with respect to PHI What are a health plan’s duties? • Must Provide own privacy notices if it has access to PHI • A health plan may arrange to have another entity to provide notice, but will be responsible if no notice is provided. 16
© benefitexpress 2016 Privacy Official • A health plan must designate a privacy official • Privacy official is responsible for the development and implementation of policies and procedures • A privacy officer must be designated for each subsidiary that is a covered entity  A single corporate officer could be designated for multiple subsidiaries 17
© benefitexpress 2016 Contact Person Covered entities must designate a contract person or office for receiving complaints • Such designation must be documented • Contact person must be able to provide additional information about matters that are covered in privacy notice 18
© benefitexpress 2016 Health Care Security Requirements • Apply to the electronic storage and transmission of PHI • General effective date - April 21, 2006 • Covered entities must implement appropriate administrative, technical and physical safeguards for PHI • Privacy rules require “appropriate safeguards” for protecting PHI • No guidelines for PHI in oral, written or non-electronic form 19
© benefitexpress 2016 • Any information transmitted by electronic media, maintained in electronic media or maintained in other form or medium • What is electronic media? • Certain transmissions are not covered What information must be protected? 20
© benefitexpress 2016 Health Care Security Requirements • Ensure the confidentiality, integrity and availability of all electronic PHI that the covered entity creates, receives, maintains or transmits • Protect against any reasonably anticipated threats or hazards to the security or integrity of such information • Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required • Ensure compliance by the workforce What are the four general security requirements? 21
© benefitexpress 2016 Health Care Security Requirements What are the security standards? • Administrative safeguards • Physical safeguards • Technical safeguards Covered entities must: • Use reasonable and appropriate measures to accomplish the requirements • Engage in risk analysis to determine how to comply 22
© benefitexpress 2016 Electronic Transaction Requirements All covered entities must standardize the format and content of all electronic transactions when engaging in “covered transactions.” These are called the EDI Standards. 23
© benefitexpress 2016 Electronic Transaction Requirements • Health claims and equivalent encounter information • Health care payment and remittance advice • Coordination of benefits • Health claim status • Enrollment and disenrollment in a health plan • Eligibility for a health plan • Health plan premium payments • Referral certification and authorization • First report of injury • Health claims attachments What are “covered transactions”? 24
© benefitexpress 2016 Electronic Transaction Requirements • Covered entities in conducting covered transactions must use standardized formats and content, as well as uniform codes in communicating with other entities • Only those entities who conduct ”standard transactions” electronically or engage others to do so are subject to EDI standards • Health plans are considered to be covered entities and must comply with the EDI Standards, along with the additional requirements What are the EDI Standards requirements? 25
© benefitexpress 2016 Electronic Transaction Requirements What transactions and transmissions are covered? Is the entity conducting the transaction a covered entity (or its business associate)? Does the transaction fall within the definition of one of the covered transactions? Covered entities must comply with the EDI Standards in certain stated transactions. Transactions within a covered entity are subject to the EDI Standards. 26
© benefitexpress 2016 Electronic Transaction Requirements • Applies to transactions transmitted using electronic media • Does not apply to any transactions conducted in paper or over the telephone • Does not apply to noncovered entities • Does not apply to group health plans with under 50 participants • Does not apply to health plan sponsors because they are not covered entities EDI Requirements 27
© benefitexpress 2016 Sharing PHI w/Plan Sponsor | Final Thoughts • De-identified information • Group health plan enrollment and disenrollment information • Limited summary health information for insurance placement and settlor function • PHI to plan sponsor personnel involved in plan administration when certain requirements are met • Pursuant to authorization A group health plan may not share PHI with plan sponsor except for disclosure of: 28
© benefitexpress 2016 Certain Employer Functions Require Authorization • Health plans can not provide access to PHI to plan sponsors without certain plan provisions and safeguards • Disclosure must be for “plan administrative functions” • Health care providers and health plans may use and disclose PHI with an individual’s “authorization” for any purpose provided in the authorization 29
© benefitexpress 2016 Certain Employer Functions Require Authorization • Plan must not condition treatment or payment on receipt of an authorization • In some circumstances, an employer may condition employment on receipt of authorization • Authorization may be required to obtain PHI for purposes of FMLA or ADA • An authorization may be required for an employer to assist employee with a claim • An authorization may be required for an employer to receive reports from EAP These functions include: 30
© benefitexpress 2016 Exceptions for Some Common Employer Practices HIPAA includes numerous exceptions to broad use and disclosure rules Common employer practices that fall under these exceptions: • State/Federal disclosure requirements • Workers’ compensation • Health information contained in employment record 31
© benefitexpress 2016 Special Concerns • Shred pertinent documents- do not simply discard them • Prohibit staff from accessing a participant’s medical records to learn a neighbor’s birthday or to satisfy a similar form of curiosity • Do not leave messages about a participant’s health on an answering machine or with someone other than the patient or doctor • Avoid discussions about a participant’s claims in elevators, cafeteria or other public places • Avoid paging participant’s using identifiable information • Do not fax information without knowing that the persons to whom the fax is addressed is ready to receive it • Do not allow faxes to sit on an office machine where unauthorized people may see them Change office behavior 32
Final Regulations Related to HIPAA Security Breaches
© benefitexpress 2016 Overview • American Recovery and Reinvestment Act of 2009 (ARRA) modified HIPAA • Security and privacy rules apply to Business Associates (BAs) • Created new notification rules for a Privacy breach  Notice to affected individuals  Notice to Media  Notice to the Department of Health and Human Services (HHS) • Penalties for non-compliance increased 34
© benefitexpress 2016 Security and Privacy Rules Applied to Business Associates • Most security rules now apply to BAs • Some privacy rules now apply to BAs • Generally effective February 1, 2010:  Some provisions, such as the breach rules and penalties, can apply earlier  BAs must comply with electronic protected health information (PHI) and breach rules as of September 1, 2009, but do not need security policies and procedures until February, 2010 35
© benefitexpress 2016 Breach Defined A breach is: “The acquisition, access, use or disclosure of PHI…”; [In a manner not otherwise permitted under the HIPAA privacy rule] “…which compromises the security or privacy of the PHI” Regulations do not incorporate the statute’s use of “accesses, maintains, retains, modifies, records, stores, destroys or otherwise holds, uses or discloses” unsecured PHI. 36
© benefitexpress 2016 Breach Defined Compromises PHI is defined as a breach that poses “a significant risk of financial, reputational, or other harm.” BAs can make a judgment call about how significant a threat is. [If not significant, there is no breach and reporting is not required] Risk assessment should be done and documented so it can be demonstrated why a breach notice was not needed. 37
© benefitexpress 2016 Breach Defined • Who impermissibly used PHI or to whom information was impermissibly disclosed • The nature of the PHI that was disclosed  For example: • If the name of an individual and plan participation are disclosed there could be a privacy breach, but there may be no harm • If the types of treatment or other sensitive information (social security number, account number, etc.) are revealed then there is a higher likelihood of harm  Many types of health details are sensitive these days given the risk of employment discrimination During an evaluation consider: 38
© benefitexpress 2016 Breach Defined • Effective for breaches occurring 30 days on or after publication in the Federal Register • HHS will use its enforcement discretion and not impose penalties until February 22, 2010  No guidance on whether penalties could relate to actions taken between September 23, 2009 and February 21, 2010 • HHS does not have the authority to penalize BAs until February 18, 2010  This will not negate any potential exposure from breach of contract or negligence 39
© benefitexpress 2016 Exceptions to Breach 1. Secured PHI 2. Unintentional acquisition, access or use by individual acting under authority of BA 3. Inadvertent disclosure from one covered entity to another covered entity 4. Unauthorized disclosure where the unauthorized individual would not reasonably have been able to retain the information 40
© benefitexpress 2016 Exceptions to Breach Secured PHI • PHI that is held in a manner deemed to be “secure” • Electronic data protected by specified encryption technology • Paper or film records shredded or destroyed • Electronic media purged in accordance with specific standards Unsecured PHI • PHI that is not rendered unusable, unreadable or indecipherable to unauthorized individuals through technology or methodology approved by HHS • PHI in any form is covered (oral and written-both paper and electronic) • Access controls, firewalls, etc. do not make data secured • Redaction of paper documents does not make them secured 1. Secured PHI 41
© benefitexpress 2016 Exceptions to Breach Safe harbor For data: • In motion (moving through a network) • At rest (in a database or flash drive) • In use (in process of being created, retrieved, updated or deleted) • Disposed (both discarded paper records and recycled electronic media) 1. Secured PHI 42
© benefitexpress 2016 Exceptions to Breach The unintentional acquisition, access or use of PHI by a workforce member or person acting under the authority of the plan or BA if acquisition, access or use is in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under the HIPAA privacy rule. • Workforce member – includes employees, volunteers and others under the control of the plan • BA can be acting under the authority of the plan Example: An employee who is responsible for billing receives an email which contains PHI about a plan participant from another employee. The email was accidentally sent. The billing employee opens the email, notices she is not the intended recipient, alerts the employee who sent the email and then deletes the email. 2. Unintentional Acquisition 43
© benefitexpress 2016 Exceptions to Breach Inadvertent disclosure by a person who is authorized to access PHI at a plan or BA to another person authorized to access PHI at the same plan or BA, if the PHI received is not further used or disclosed in a manner violating 45 CFR § 164 Part E. Example: A member of an appeals committee shares a participant’s PHI with another committee member. Member 1 thought the participant had appealed a claim, however it was actually a different participant’s appeal. Member 2 does not disclose or use the PHI. 3. Disclosure to Another Covered Entity 44
© benefitexpress 2016 Exceptions to Breach Disclosure of PHI where a plan or BA has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain the PHI. Appears to apply to both physical (e.g., actual paper record) retention and mental retention. Example: A plan mails a number of EOBs to the wrong individual. The EOBs are returned by the post office as undeliverable. They are unopened. 4. Unauthorized Disclosure, Not Retained 45
© benefitexpress 2016 Identification of Breach • whether there was an impermissible use or disclosure of PHI under the Subpart E • whether the impermissible use or disclosure compromises the security or privacy of the PHI and document such findings • if an exception applies Plan and BA must determine: 46
© benefitexpress 2016 Notification Rules • BA should report the data to the plan within the timeframe allowed by their agreement  Do not need to report the breach to the affected individuals, unless the contract specifies • Plan must notify each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used or disclosed as a result of the breach • Plan may need to notify the media • Plan must notify HHS When a breach is discovered: 47
© benefitexpress 2016 Notification Rules • First day on which the breach is known or should reasonably have been known by a covered entity or BA if they had exercised reasonable diligence • Plan and BA deemed to have knowledge of workforce members and any agents  Agent status determined using federal common law agency rules • BA is often an agent of the plan • Broad reach • If breaching employee never tells anyone of a breach, the breach occurred but cannot be discovered and therefore there is no reporting obligation Discovery of a breach 48
© benefitexpress 2016 Notification Rules • Must notify plan after it discovers a breach of unsecured PHI  Same rules as for covered entities in determining when a breach is discovered • BA must provide notice to plan without unreasonable delay, but in no event later than 60 days after breach discovered • BA must provide a list of each individual whose PHI was breached and any other information the plan would need to send out notice to individuals Business Associate notification to plan 49
© benefitexpress 2016 Notification Rules The Plan must notify each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired or disclosed as a result of the breach. • If BA discovers breach, must notify plan and should identify each individual who is affected. Notification must be made without unreasonable delay and be no later than 60 calendar days after discovery of the breach. • 60 days, from date breach first known, is the outside limit and may be unreasonable in some circumstances.  60 days begins even if initially unclear whether there was a breach • Burden of proof on covered entity/BA to show timeliness. Notice to Individuals 50
© benefitexpress 2016 Notification Rules • Written notice should be sent by first-class mail to individuals last known address  May notify by email if the individual has consented  May notify next of kin or personal representative if the plan has that information • If it is an urgent situation, due to possible imminent misuse, notification may be made by telephone or other means in addition to the written notice  No guidance has been provided regarding what is considered urgent • Burden of proof is on the plan/BA to prove notifications provided Notice to Individuals 51
© benefitexpress 2016 Notification Rules When direct notice is not possible due to the plan having insufficient or out of date contact information, may notify by substitute form. • For less than 10 individuals, it may be written notice, telephone notice or other means. • For more than 10 individuals, should be a conspicuous posting on the covered entity’s web site for 90 days or more or a conspicuous notice in a major print or broadcast media.  Toll-free phone number must be included so individuals can learn if unsecured PHI was breached.  Must be on the home page or the website or be a prominent hyperlink.  What constitutes a major print or broadcast media is a facts and circumstances test, which considers the geography of the individuals. Notice to Individuals 52
© benefitexpress 2016 Notification Rules Notice must include: • Plain language, brief description of what happened including the date of breach and date of breach discovery • Type of unsecured PHI involved (e.g., social security number, full name, address, etc.) • Steps an individual should take to protect himself/herself from potential harm • Brief description of what is being done to remedy and mitigation the effects of the breach • Contact procedures for individuals to ask questions or get additional information  Must include a toll-free phone number, email address, web site or mailing address Notice to Individuals 53
© benefitexpress 2016 Notification Rules Notice must be provided to prominent media outlets in the state or jurisdiction if unsecured PHI of more than 500 residents of the state or jurisdiction is or is reasonably believed to have been accessed, acquired or disclosed during a breach • Assumption that major media is similar to prominent media • Jurisdiction is smaller than a state (e.g., county or city) • Must affect 500 residents of the state or jurisdiction – if the total breach is more, but there are not 500 in a state or jurisdictions, this notice is not required This notice is in addition to the individual notice Media Notice 54
© benefitexpress 2016 Notification Rules Notice must be provided to HHS if there is a breach of 500 or more individuals. • Notice must be submitted within same timeframe for sending notice to affected individuals. • Calculation of individuals is for a total discovered during investigation.  If there was an individual discovery of 400 individual, but upon investigation another 150 are discovered, must notify HHS. Log must be maintain and submitted annually to HHS for breaches of less than 500 individual. • Must be submitted within 60 days of the end of the calendar year. • HHS website will provide details on how to submit. HHS Notice 55
© benefitexpress 2016 Other Changes • State notification laws not preempted unless they stand “as an obstacle” • Law enforcement delay of notification, verbal notice must be documented and is for a maximum of 30 days, written notice is for the time period specified • Must train workforce on requirements • Complaint processes must provide for the ability to include complaints regarding these processes • Retaliation/waiver/intimidating acts are prohibited • There are sanctions for failure to comply 56
© benefitexpress 2016 Penalties/Enforcement • State notification laws not preempted unless they stand “as an obstacle” • Law enforcement delay of notification, verbal notice must be documented and is for a maximum of 30 days, written notice is for the time period specified • Must train workforce on requirements • Complaint processes must provide for the ability to include complaints regarding these processes • Retaliation/waiver/intimidating acts are prohibited • There are sanctions for failure to comply 57
© benefitexpress 2016 Penalties/Enforcement HHS audits now required Penalty amounts: • Minimum $100 if did not know of violation and would not have known even with reasonable diligence – maximum $50K per violation, $1.5M total • Minimum $1,000 if reasonable cause and not willful neglect – maximum $50K per violation, $1.5M total • Minimum $10,000 if willful neglect but corrected – maximum $50K per violation, $1.5M total • Minimum $50,000 if willful neglect and not corrected – maximum $1.5M 58
Compliance Audits
© benefitexpress 2016 Compliance Audits • OCR announced the launch of phase 2 of the audit program in March 2016. • Here are some things to expect: • Who may be audited?  OCR intends to audit a wide range of covered entities, and business associates will be added to the list of audit targets, now that OCR has direct enforcement authority over business associates.  OCR’s stated goal is to have a broad sample of audited entities, including each type of covered entity (plans, providers, and clearinghouses), different types of business associates, entities of different sizes, and entities located in various regions throughout the country. 60
© benefitexpress 2016 Compliance Audits Phase 2 will be conducted in three rounds: • Round 1: The first round will be remote desk audits of covered entities, based on documents and other information received in response to an information request • Round 2: The second round will be remote desk audits of business associates, based on documents and other information received in response to an information request. Rounds 1 and 2 are expected to be completed by December 2016 • Round 3: The third set of audits will be on-site and will examine a broader scope of HIPAA requirements than the desk audits. Both covered entities and business associates, including those that already underwent a desk audit, may be subject to an on-site audits What is the structure of the audit program? 61
© benefitexpress 2016 Compliance Audits • The audit process will employ common audit techniques • Entities selected for an audit will be sent an email notification of their selection and will be asked to provide documents and other data in response to a document request letter • Audited entities will submit documents online via a new secure audit portal on OCR’s website—within 10 business days after they receive OCR’s request • After reviewing relevant documentation and other information, auditors will develop and share draft findings with the audited entity • Audited entities will have the opportunity to respond to the draft findings, and their written responses will be included in the final audit report. Audit reports generally describe how the audit was conducted, discuss any findings, and contain entity responses to the draft findings How will the audit program work? 62
© benefitexpress 2016 Compliance Audits • The timeline for desk audits is quite compressed • Once the auditor sends draft findings to the audited entity, the audited entity will have just 10 business days to review the findings and return written comments to the auditor • The auditor will complete a final report within 30 business days after receiving the audited entity’s comments • On-site audits will be conducted over a period of 3–5 days, depending on the size of the entity • As with desk audits, the audited entity will have just 10 business days to review and submit written comments on the auditor’s draft findings • The final audit report will be completed and furnished to the audited entity within 30 days after the audited entity’s response What is the audit timeline? 63
© benefitexpress 2016 Compliance Audits OCR has indicated that desk audits will be more limited than on-site audits, but it is unclear how much more limited they will be. OCR also has released an updated audit protocol. Previously, OCR had suggested that the updated protocol would identify the areas that OCR would focus on during phase 2 audits, but the actual protocol does not really carry through on this suggestion—it lists all of the security rule’s requirements for administrative, physical, and technical safeguards and all of the breach notification rule’s requirements. What is the likely scope of an audit? 64
© benefitexpress 2016 Compliance Audits The protocol is a little narrower with respect to the privacy rule, covering: • the Notice of Privacy Practices • the right to request privacy protection for PHI • access of individuals to PHI • administrative requirements (such as training, policies and procedures, sanctions, and document retention) • uses and disclosures of PHI • and individuals’ rights to request amendment of PHI and accountings of disclosures What is the likely scope of an audit? 65
© benefitexpress 2016 Compliance Audits • Be alert to OCR communications • Don’t ignore OCR • Round up all the OCR inquiries • Have an audit response plan in place • Conduct a pre-audit review • Time is of the essence • Know your business associates • Develop or update compliance documents How do you prepare for a possible audit? 66
Questions?
© benefitexpress 2016 Contact Larry Grudzien Attorney at Law 708-717-9638 larry@larrygrudzien.com larrygrudzien.com 68

Recommended

HIPAA Privacy & Security
HIPAA Privacy & SecurityHIPAA Privacy & Security
HIPAA Privacy & Security
National Pharmacy Technician Association
 
Hipaa overview 073118
Hipaa overview 073118Hipaa overview 073118
Hipaa overview 073118
robint2125
 
Imac 2011
Imac 2011Imac 2011
Imac 2011sebmojo
 
The Health Insurance Portability and Accountability Act 
The Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act 
The Health Insurance Portability and Accountability Act 
Kartheek Kein
 
Hipaa
HipaaHipaa
HipaaJason Wrench
 
HIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability ActHIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability ActHarshit Trivedi
 
HIPAA
HIPAAHIPAA
HIPAA
Alanoud Alqoufi
 
Health Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) ComplianceHealth Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) Compliance
ControlCase
 

Recommended

HIPAA Privacy & Security
HIPAA Privacy & SecurityHIPAA Privacy & Security
HIPAA Privacy & Security
National Pharmacy Technician Association
 
Hipaa overview 073118
Hipaa overview 073118Hipaa overview 073118
Hipaa overview 073118
robint2125
 
Imac 2011
Imac 2011Imac 2011
Imac 2011sebmojo
 
The Health Insurance Portability and Accountability Act 
The Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act 
The Health Insurance Portability and Accountability Act 
Kartheek Kein
 
Hipaa
HipaaHipaa
HipaaJason Wrench
 
HIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability ActHIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability ActHarshit Trivedi
 
HIPAA
HIPAAHIPAA
HIPAA
Alanoud Alqoufi
 
Health Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) ComplianceHealth Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) Compliance
ControlCase
 
2017 HIPAA Clinical Research Training
2017 HIPAA Clinical Research Training2017 HIPAA Clinical Research Training
2017 HIPAA Clinical Research Training
Cynthia Holland
 
Hipaa
HipaaHipaa
Hipaateammayco
 
HIPAA
HIPAAHIPAA
HIPAA
kgriffin62
 
Keys To HIPAA Compliance
Keys To HIPAA ComplianceKeys To HIPAA Compliance
Keys To HIPAA Compliance
CBIZ, Inc.
 
Licensing and Privileging
Licensing and PrivilegingLicensing and Privileging
Licensing and Privileging
Parsons Behle & Latimer
 
HIPAA
HIPAA HIPAA
HIPAA
ravelo1212
 
HIPAA Compliance
HIPAA ComplianceHIPAA Compliance
HIPAA Compliance
Manny Oliverez
 
Hipaa
HipaaHipaa
Hipaa
belziebub
 
HIPAA
HIPAAHIPAA
HIPAAPaul D. Friedman, M.A., Ph.D., J.D.
 
Regulating Healthcare - Lecture E
Regulating Healthcare - Lecture ERegulating Healthcare - Lecture E
Regulating Healthcare - Lecture E
CMDLearning
 
HIPAA and How it Applies to You
HIPAA and How it Applies to YouHIPAA and How it Applies to You
HIPAA and How it Applies to You
Winston & Strawn LLP
 
Documentation in acute care chapter 5
Documentation in acute care chapter 5Documentation in acute care chapter 5
Documentation in acute care chapter 5
Byamba Uranchimeg
 
Medicare Basics
Medicare BasicsMedicare Basics
Medicare Basics
Parsons Behle & Latimer
 
Annual HIPAA Training
Annual HIPAA TrainingAnnual HIPAA Training
Annual HIPAA Training
Cynthia Holland
 
HIPAA Basics
HIPAA BasicsHIPAA Basics
HIPAA BasicsKarna *
 
HIPAA AND INFORMATION TECHNOLOGY
HIPAA AND INFORMATION TECHNOLOGYHIPAA AND INFORMATION TECHNOLOGY
HIPAA AND INFORMATION TECHNOLOGY
mariaradziminski
 
The viability of Personal Health Information MHA690
The viability of Personal Health Information MHA690The viability of Personal Health Information MHA690
The viability of Personal Health Information MHA690
camillemaxwell2
 
HIPAA for Dummies
HIPAA for DummiesHIPAA for Dummies
HIPAA for Dummies
hipaacompliance
 
HIPAA
HIPAAHIPAA
HIPAAKarna *
 
Becoming HITECH - 9/2009
Becoming HITECH - 9/2009Becoming HITECH - 9/2009
Becoming HITECH - 9/2009
rogersons
 
HIPAA Privacy for Employers 101
HIPAA Privacy for Employers 101HIPAA Privacy for Employers 101
HIPAA Privacy for Employers 101
benefitexpress
 
HIPAA Lockdown: One-Hour Guide to PHI Best Practice
HIPAA Lockdown: One-Hour Guide to PHI Best PracticeHIPAA Lockdown: One-Hour Guide to PHI Best Practice
HIPAA Lockdown: One-Hour Guide to PHI Best Practice
benefitexpress
 

More Related Content

What's hot

2017 HIPAA Clinical Research Training
2017 HIPAA Clinical Research Training2017 HIPAA Clinical Research Training
2017 HIPAA Clinical Research Training
Cynthia Holland
 
HIPAA
HIPAAHIPAA
HIPAA
kgriffin62
 
Keys To HIPAA Compliance
Keys To HIPAA ComplianceKeys To HIPAA Compliance
Keys To HIPAA Compliance
CBIZ, Inc.
 
Licensing and Privileging
Licensing and PrivilegingLicensing and Privileging
Licensing and Privileging
Parsons Behle & Latimer
 
HIPAA
HIPAA HIPAA
HIPAA
ravelo1212
 
HIPAA Compliance
HIPAA ComplianceHIPAA Compliance
HIPAA Compliance
Manny Oliverez
 
Hipaa
HipaaHipaa
Hipaa
belziebub
 
Regulating Healthcare - Lecture E
Regulating Healthcare - Lecture ERegulating Healthcare - Lecture E
Regulating Healthcare - Lecture E
CMDLearning
 
HIPAA and How it Applies to You
HIPAA and How it Applies to YouHIPAA and How it Applies to You
HIPAA and How it Applies to You
Winston & Strawn LLP
 
Documentation in acute care chapter 5
Documentation in acute care chapter 5Documentation in acute care chapter 5
Documentation in acute care chapter 5
Byamba Uranchimeg
 
Medicare Basics
Medicare BasicsMedicare Basics
Medicare Basics
Parsons Behle & Latimer
 
Annual HIPAA Training
Annual HIPAA TrainingAnnual HIPAA Training
Annual HIPAA Training
Cynthia Holland
 
HIPAA Basics
HIPAA BasicsHIPAA Basics
HIPAA BasicsKarna *
 
HIPAA AND INFORMATION TECHNOLOGY
HIPAA AND INFORMATION TECHNOLOGYHIPAA AND INFORMATION TECHNOLOGY
HIPAA AND INFORMATION TECHNOLOGY
mariaradziminski
 
The viability of Personal Health Information MHA690
The viability of Personal Health Information MHA690The viability of Personal Health Information MHA690
The viability of Personal Health Information MHA690
camillemaxwell2
 
HIPAA for Dummies
HIPAA for DummiesHIPAA for Dummies
HIPAA for Dummies
hipaacompliance
 
Becoming HITECH - 9/2009
Becoming HITECH - 9/2009Becoming HITECH - 9/2009
Becoming HITECH - 9/2009
rogersons
 

What's hot (20)

2017 HIPAA Clinical Research Training
2017 HIPAA Clinical Research Training2017 HIPAA Clinical Research Training
2017 HIPAA Clinical Research Training
 
Hipaa
HipaaHipaa
Hipaa
 
HIPAA
HIPAAHIPAA
HIPAA
 
Keys To HIPAA Compliance
Keys To HIPAA ComplianceKeys To HIPAA Compliance
Keys To HIPAA Compliance
 
Licensing and Privileging
Licensing and PrivilegingLicensing and Privileging
Licensing and Privileging
 
HIPAA
HIPAA HIPAA
HIPAA
 
HIPAA Compliance
HIPAA ComplianceHIPAA Compliance
HIPAA Compliance
 
Hipaa
HipaaHipaa
Hipaa
 
HIPAA
HIPAAHIPAA
HIPAA
 
Regulating Healthcare - Lecture E
Regulating Healthcare - Lecture ERegulating Healthcare - Lecture E
Regulating Healthcare - Lecture E
 
HIPAA and How it Applies to You
HIPAA and How it Applies to YouHIPAA and How it Applies to You
HIPAA and How it Applies to You
 
Documentation in acute care chapter 5
Documentation in acute care chapter 5Documentation in acute care chapter 5
Documentation in acute care chapter 5
 
Medicare Basics
Medicare BasicsMedicare Basics
Medicare Basics
 
Annual HIPAA Training
Annual HIPAA TrainingAnnual HIPAA Training
Annual HIPAA Training
 
HIPAA Basics
HIPAA BasicsHIPAA Basics
HIPAA Basics
 
HIPAA AND INFORMATION TECHNOLOGY
HIPAA AND INFORMATION TECHNOLOGYHIPAA AND INFORMATION TECHNOLOGY
HIPAA AND INFORMATION TECHNOLOGY
 
The viability of Personal Health Information MHA690
The viability of Personal Health Information MHA690The viability of Personal Health Information MHA690
The viability of Personal Health Information MHA690
 
HIPAA for Dummies
HIPAA for DummiesHIPAA for Dummies
HIPAA for Dummies
 
HIPAA
HIPAAHIPAA
HIPAA
 
Becoming HITECH - 9/2009
Becoming HITECH - 9/2009Becoming HITECH - 9/2009
Becoming HITECH - 9/2009
 

Similar to HIPAA Training: Privacy Review and Audit Survival Guide

HIPAA Privacy for Employers 101
HIPAA Privacy for Employers 101HIPAA Privacy for Employers 101
HIPAA Privacy for Employers 101
benefitexpress
 
HIPAA Lockdown: One-Hour Guide to PHI Best Practice
HIPAA Lockdown: One-Hour Guide to PHI Best PracticeHIPAA Lockdown: One-Hour Guide to PHI Best Practice
HIPAA Lockdown: One-Hour Guide to PHI Best Practice
benefitexpress
 
Meeting the HIPAA Privacy Requirements
Meeting the HIPAA Privacy RequirementsMeeting the HIPAA Privacy Requirements
Meeting the HIPAA Privacy Requirements
benefitexpress
 
Privacy & security training.pptx
Privacy & security training.pptxPrivacy & security training.pptx
Privacy & security training.pptx
Qmcleod
 
Privacy & security training.pptx
Privacy & security training.pptxPrivacy & security training.pptx
Privacy & security training.pptx
Qmcleod
 
HIPAA & PHI Training
HIPAA & PHI TrainingHIPAA & PHI Training
HIPAA & PHI Training
Hatch Compliance, Inc.
 
HIPAA, PHI, & 42 CFR Part 2
HIPAA, PHI, & 42 CFR Part 2HIPAA, PHI, & 42 CFR Part 2
HIPAA, PHI, & 42 CFR Part 2
Hatch Compliance, Inc.
 
Data Security and Privacy Practices
Data Security and Privacy PracticesData Security and Privacy Practices
Data Security and Privacy Practices
Springfield Clinic
 
Introduction to HIPAA for Healthcare Professionals by OUP
Introduction to HIPAA for Healthcare Professionals by OUPIntroduction to HIPAA for Healthcare Professionals by OUP
Introduction to HIPAA for Healthcare Professionals by OUPAtlantic Training, LLC.
 
MHA690 confidentiality training
MHA690 confidentiality trainingMHA690 confidentiality training
MHA690 confidentiality trainingsdavis49
 
HIPAA Rights Privacy and Enforcements RD.pptx
HIPAA Rights Privacy and Enforcements RD.pptxHIPAA Rights Privacy and Enforcements RD.pptx
HIPAA Rights Privacy and Enforcements RD.pptx
RAJIV RANJAN DAS
 
2013 06-21 HIPPA omnibus rule
2013 06-21 HIPPA omnibus rule2013 06-21 HIPPA omnibus rule
2013 06-21 HIPPA omnibus rule
DusaElraha
 
HIPAA and FDCPA Compliance for Process Servers
HIPAA and FDCPA Compliance for Process ServersHIPAA and FDCPA Compliance for Process Servers
HIPAA and FDCPA Compliance for Process Servers
Lawgical
 
HNI U: HIPAA Essentials
HNI U: HIPAA EssentialsHNI U: HIPAA Essentials
HNI U: HIPAA Essentials
HNI Risk Services
 
HIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to knowHIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to know
Shred-it
 
2018-HIPAA-Renewal-Training.pptx
2018-HIPAA-Renewal-Training.pptx2018-HIPAA-Renewal-Training.pptx
2018-HIPAA-Renewal-Training.pptx
Fariida Osman
 
HIPAA and Privacy Training
HIPAA and Privacy TrainingHIPAA and Privacy Training
HIPAA and Privacy Training
JasAmataga
 
Mha 690 week 1 dq 2
Mha 690 week 1 dq 2Mha 690 week 1 dq 2
Mha 690 week 1 dq 2
Hollis Charles
 
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of HawaiiHIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of HawaiiAtlantic Training, LLC.
 

Similar to HIPAA Training: Privacy Review and Audit Survival Guide (20)

HIPAA Privacy for Employers 101
HIPAA Privacy for Employers 101HIPAA Privacy for Employers 101
HIPAA Privacy for Employers 101
 
HIPAA Lockdown: One-Hour Guide to PHI Best Practice
HIPAA Lockdown: One-Hour Guide to PHI Best PracticeHIPAA Lockdown: One-Hour Guide to PHI Best Practice
HIPAA Lockdown: One-Hour Guide to PHI Best Practice
 
Meeting the HIPAA Privacy Requirements
Meeting the HIPAA Privacy RequirementsMeeting the HIPAA Privacy Requirements
Meeting the HIPAA Privacy Requirements
 
Privacy & security training.pptx
Privacy & security training.pptxPrivacy & security training.pptx
Privacy & security training.pptx
 
Privacy & security training.pptx
Privacy & security training.pptxPrivacy & security training.pptx
Privacy & security training.pptx
 
Data Management Protection Acts
Data Management Protection ActsData Management Protection Acts
Data Management Protection Acts
 
HIPAA & PHI Training
HIPAA & PHI TrainingHIPAA & PHI Training
HIPAA & PHI Training
 
HIPAA, PHI, & 42 CFR Part 2
HIPAA, PHI, & 42 CFR Part 2HIPAA, PHI, & 42 CFR Part 2
HIPAA, PHI, & 42 CFR Part 2
 
Data Security and Privacy Practices
Data Security and Privacy PracticesData Security and Privacy Practices
Data Security and Privacy Practices
 
Introduction to HIPAA for Healthcare Professionals by OUP
Introduction to HIPAA for Healthcare Professionals by OUPIntroduction to HIPAA for Healthcare Professionals by OUP
Introduction to HIPAA for Healthcare Professionals by OUP
 
MHA690 confidentiality training
MHA690 confidentiality trainingMHA690 confidentiality training
MHA690 confidentiality training
 
HIPAA Rights Privacy and Enforcements RD.pptx
HIPAA Rights Privacy and Enforcements RD.pptxHIPAA Rights Privacy and Enforcements RD.pptx
HIPAA Rights Privacy and Enforcements RD.pptx
 
2013 06-21 HIPPA omnibus rule
2013 06-21 HIPPA omnibus rule2013 06-21 HIPPA omnibus rule
2013 06-21 HIPPA omnibus rule
 
HIPAA and FDCPA Compliance for Process Servers
HIPAA and FDCPA Compliance for Process ServersHIPAA and FDCPA Compliance for Process Servers
HIPAA and FDCPA Compliance for Process Servers
 
HNI U: HIPAA Essentials
HNI U: HIPAA EssentialsHNI U: HIPAA Essentials
HNI U: HIPAA Essentials
 
HIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to knowHIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to know
 
2018-HIPAA-Renewal-Training.pptx
2018-HIPAA-Renewal-Training.pptx2018-HIPAA-Renewal-Training.pptx
2018-HIPAA-Renewal-Training.pptx
 
HIPAA and Privacy Training
HIPAA and Privacy TrainingHIPAA and Privacy Training
HIPAA and Privacy Training
 
Mha 690 week 1 dq 2
Mha 690 week 1 dq 2Mha 690 week 1 dq 2
Mha 690 week 1 dq 2
 
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of HawaiiHIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of Hawaii
 

More from benefitexpress

Webinar: Mid-Year Election Changes for Cafeteria Plans
Webinar: Mid-Year Election Changes for Cafeteria PlansWebinar: Mid-Year Election Changes for Cafeteria Plans
Webinar: Mid-Year Election Changes for Cafeteria Plans
benefitexpress
 
COVID-19 Health & Welfare: Compliance for Employers
COVID-19 Health & Welfare: Compliance for EmployersCOVID-19 Health & Welfare: Compliance for Employers
COVID-19 Health & Welfare: Compliance for Employers
benefitexpress
 
Plan Sponsor Webinar: Navigating COVID-19 for Employers
Plan Sponsor Webinar: Navigating COVID-19 for EmployersPlan Sponsor Webinar: Navigating COVID-19 for Employers
Plan Sponsor Webinar: Navigating COVID-19 for Employers
benefitexpress
 
COVID-19: Families First Coronavirus Response Act Signed Into Law
COVID-19: Families First Coronavirus Response Act Signed Into LawCOVID-19: Families First Coronavirus Response Act Signed Into Law
COVID-19: Families First Coronavirus Response Act Signed Into Law
benefitexpress
 
Medicare & Employer Health Coverage - a Coordination Conversation
Medicare & Employer Health Coverage - a Coordination ConversationMedicare & Employer Health Coverage - a Coordination Conversation
Medicare & Employer Health Coverage - a Coordination Conversation
benefitexpress
 
Common Wage & Hour Issues in Benefits
Common Wage & Hour Issues in BenefitsCommon Wage & Hour Issues in Benefits
Common Wage & Hour Issues in Benefits
benefitexpress
 
#MeToo in the Workplace
#MeToo in the Workplace#MeToo in the Workplace
#MeToo in the Workplace
benefitexpress
 
The Do's and Don'ts of FMLA Compliance
The Do's and Don'ts of FMLA Compliance The Do's and Don'ts of FMLA Compliance
The Do's and Don'ts of FMLA Compliance
benefitexpress
 
What Happens if Obamacare is Struck Down?
What Happens if Obamacare is Struck Down?What Happens if Obamacare is Struck Down?
What Happens if Obamacare is Struck Down?
benefitexpress
 
HRAs in 2020: Everything You Need to Know
HRAs in 2020: Everything You Need to KnowHRAs in 2020: Everything You Need to Know
HRAs in 2020: Everything You Need to Know
benefitexpress
 
Benefitexpress webinar-common-compliance-questions
Benefitexpress webinar-common-compliance-questionsBenefitexpress webinar-common-compliance-questions
Benefitexpress webinar-common-compliance-questions
benefitexpress
 
How to Administer Wellness Programs in Today's Regulatory Environment
How to Administer Wellness Programs in Today's Regulatory EnvironmentHow to Administer Wellness Programs in Today's Regulatory Environment
How to Administer Wellness Programs in Today's Regulatory Environment
benefitexpress
 
Webinar | Texas vs. United States - The Repeal of ACA?
Webinar | Texas vs. United States - The Repeal of ACA?Webinar | Texas vs. United States - The Repeal of ACA?
Webinar | Texas vs. United States - The Repeal of ACA?
benefitexpress
 
Healthcare Check-in: The Latest Developments in Health and Welfare Plans
Healthcare Check-in: The Latest Developments in Health and Welfare PlansHealthcare Check-in: The Latest Developments in Health and Welfare Plans
Healthcare Check-in: The Latest Developments in Health and Welfare Plans
benefitexpress
 
Webinar | From Analysis to Action: How Personalization Can Lower Employer Cos...
Webinar | From Analysis to Action: How Personalization Can Lower Employer Cos...Webinar | From Analysis to Action: How Personalization Can Lower Employer Cos...
Webinar | From Analysis to Action: How Personalization Can Lower Employer Cos...
benefitexpress
 
Webinar | Understanding Flex Spending Compliance
Webinar | Understanding Flex Spending ComplianceWebinar | Understanding Flex Spending Compliance
Webinar | Understanding Flex Spending Compliance
benefitexpress
 
Webinar | COBRA Pitfalls: Common Mistakes and How to Avoid Them
Webinar | COBRA Pitfalls: Common Mistakes and How to Avoid ThemWebinar | COBRA Pitfalls: Common Mistakes and How to Avoid Them
Webinar | COBRA Pitfalls: Common Mistakes and How to Avoid Them
benefitexpress
 
Webinar | Clients Calling “Mayday”? Design a Benefits Technology Strategy to ...
Webinar | Clients Calling “Mayday”? Design a Benefits Technology Strategy to ...Webinar | Clients Calling “Mayday”? Design a Benefits Technology Strategy to ...
Webinar | Clients Calling “Mayday”? Design a Benefits Technology Strategy to ...
benefitexpress
 
Webinar | Training the Technique: Advanced ERISA Compliance
Webinar | Training the Technique: Advanced ERISA ComplianceWebinar | Training the Technique: Advanced ERISA Compliance
Webinar | Training the Technique: Advanced ERISA Compliance
benefitexpress
 
Factors of Self-Funding: Evaluating the Pros and Cons
Factors of Self-Funding: Evaluating the Pros and ConsFactors of Self-Funding: Evaluating the Pros and Cons
Factors of Self-Funding: Evaluating the Pros and Cons
benefitexpress
 

More from benefitexpress (20)

Webinar: Mid-Year Election Changes for Cafeteria Plans
Webinar: Mid-Year Election Changes for Cafeteria PlansWebinar: Mid-Year Election Changes for Cafeteria Plans
Webinar: Mid-Year Election Changes for Cafeteria Plans
 
COVID-19 Health & Welfare: Compliance for Employers
COVID-19 Health & Welfare: Compliance for EmployersCOVID-19 Health & Welfare: Compliance for Employers
COVID-19 Health & Welfare: Compliance for Employers
 
Plan Sponsor Webinar: Navigating COVID-19 for Employers
Plan Sponsor Webinar: Navigating COVID-19 for EmployersPlan Sponsor Webinar: Navigating COVID-19 for Employers
Plan Sponsor Webinar: Navigating COVID-19 for Employers
 
COVID-19: Families First Coronavirus Response Act Signed Into Law
COVID-19: Families First Coronavirus Response Act Signed Into LawCOVID-19: Families First Coronavirus Response Act Signed Into Law
COVID-19: Families First Coronavirus Response Act Signed Into Law
 
Medicare & Employer Health Coverage - a Coordination Conversation
Medicare & Employer Health Coverage - a Coordination ConversationMedicare & Employer Health Coverage - a Coordination Conversation
Medicare & Employer Health Coverage - a Coordination Conversation
 
Common Wage & Hour Issues in Benefits
Common Wage & Hour Issues in BenefitsCommon Wage & Hour Issues in Benefits
Common Wage & Hour Issues in Benefits
 
#MeToo in the Workplace
#MeToo in the Workplace#MeToo in the Workplace
#MeToo in the Workplace
 
The Do's and Don'ts of FMLA Compliance
The Do's and Don'ts of FMLA Compliance The Do's and Don'ts of FMLA Compliance
The Do's and Don'ts of FMLA Compliance
 
What Happens if Obamacare is Struck Down?
What Happens if Obamacare is Struck Down?What Happens if Obamacare is Struck Down?
What Happens if Obamacare is Struck Down?
 
HRAs in 2020: Everything You Need to Know
HRAs in 2020: Everything You Need to KnowHRAs in 2020: Everything You Need to Know
HRAs in 2020: Everything You Need to Know
 
Benefitexpress webinar-common-compliance-questions
Benefitexpress webinar-common-compliance-questionsBenefitexpress webinar-common-compliance-questions
Benefitexpress webinar-common-compliance-questions
 
How to Administer Wellness Programs in Today's Regulatory Environment
How to Administer Wellness Programs in Today's Regulatory EnvironmentHow to Administer Wellness Programs in Today's Regulatory Environment
How to Administer Wellness Programs in Today's Regulatory Environment
 
Webinar | Texas vs. United States - The Repeal of ACA?
Webinar | Texas vs. United States - The Repeal of ACA?Webinar | Texas vs. United States - The Repeal of ACA?
Webinar | Texas vs. United States - The Repeal of ACA?
 
Healthcare Check-in: The Latest Developments in Health and Welfare Plans
Healthcare Check-in: The Latest Developments in Health and Welfare PlansHealthcare Check-in: The Latest Developments in Health and Welfare Plans
Healthcare Check-in: The Latest Developments in Health and Welfare Plans
 
Webinar | From Analysis to Action: How Personalization Can Lower Employer Cos...
Webinar | From Analysis to Action: How Personalization Can Lower Employer Cos...Webinar | From Analysis to Action: How Personalization Can Lower Employer Cos...
Webinar | From Analysis to Action: How Personalization Can Lower Employer Cos...
 
Webinar | Understanding Flex Spending Compliance
Webinar | Understanding Flex Spending ComplianceWebinar | Understanding Flex Spending Compliance
Webinar | Understanding Flex Spending Compliance
 
Webinar | COBRA Pitfalls: Common Mistakes and How to Avoid Them
Webinar | COBRA Pitfalls: Common Mistakes and How to Avoid ThemWebinar | COBRA Pitfalls: Common Mistakes and How to Avoid Them
Webinar | COBRA Pitfalls: Common Mistakes and How to Avoid Them
 
Webinar | Clients Calling “Mayday”? Design a Benefits Technology Strategy to ...
Webinar | Clients Calling “Mayday”? Design a Benefits Technology Strategy to ...Webinar | Clients Calling “Mayday”? Design a Benefits Technology Strategy to ...
Webinar | Clients Calling “Mayday”? Design a Benefits Technology Strategy to ...
 
Webinar | Training the Technique: Advanced ERISA Compliance
Webinar | Training the Technique: Advanced ERISA ComplianceWebinar | Training the Technique: Advanced ERISA Compliance
Webinar | Training the Technique: Advanced ERISA Compliance
 
Factors of Self-Funding: Evaluating the Pros and Cons
Factors of Self-Funding: Evaluating the Pros and ConsFactors of Self-Funding: Evaluating the Pros and Cons
Factors of Self-Funding: Evaluating the Pros and Cons
 

HIPAA Training: Privacy Review and Audit Survival Guide

  • 1. © benefitexpress 2016 HIPAA Privacy For Employers
  • 2. © benefitexpress 2016 General Requirements “Health plans are required to protect and safeguard a participant’s or covered dependent’s personal health information (PHI) from impermissible use or disclosure and they must obtain a patient’s content for certain uses and disclosures.” • What is required to protect information? • What information is protected? • What steps must a health plan and the employer do to comply? 2
  • 3. © benefitexpress 2016 What is Required? Health plans must: • Establish written policies and procedures to protect PHI • Protect and safeguard a participant’s or covered dependent’s personal health information (PHI) • Obtain participant’s or covered dependent’s written permission for certain uses of PHI • Notify a participant and/or covered participant of policies of disclosure and use of PHI • Report impermissible use or disclosure of PHI • Allow a participant and/or covered dependent to inspect or copy his or her PHI • Use and disclose only the “minimum necessary” health information • Enter into Business Associate Agreements 3
  • 4. © benefitexpress 2016 What is Protected Health Information (PHI)? • All medical records and other individually identifiable health information held or disclosed by a health plans in any form, whether communicated electronically, on paper or orally • Health plans may release PHI to employers without authorization in very limited circumstances • Three conditions must be met:  Provider must provide service at the request of employer or as an employee,  Service provided must relate to medical surveillance of workplace or an evaluation to determine individual has workplace injuries or illness, and  Employer must have legal requirement under state or federal law to keep records 4
  • 5. © benefitexpress 2016 What are the Plan Sponsor’s Obligations? • Group health plans do not need to obtain a participant’s or a covered dependents consent to release information for the administration of the plan • Plan sponsor’s obligation depends on whether it receives protected health information, summary health information or no health information • Obligations, if it receive only summary health information • Required plan amendments • Obligations, if it receives protected health information 5
  • 6. © benefitexpress 2016 What documents are needed to comply? • HIPAA Privacy Policy • HIPAA Privacy Use and Disclosures • Notice of Privacy Practices • Business Associate Contracts • Authorization for Release of Information • Amendment to Health Plan Document • Amendment to Health Plan SPD • Plan Sponsor Certification to Health Plan 6
  • 7. © benefitexpress 2016 What documents are needed to comply? • Request to inspect or copy PHI • Request to amend or correct PHI • Request for Accounting of Disclosures of PHI • Request for restrictions on Use or Disclosure of PHI Documents for Implementing Individual Rights 7
  • 8. © benefitexpress 2016 Consent Issues – Introduction • as required in accordance with an individual’s right to access PHI; • for covered functions (i.e., treatment, payment, or health care operations); • with respect to specific types of information after the opportunity to agree or object; • pursuant to an individual’s authorization; and • as required or permitted under HIPAA’s public policy exceptions and a limited data set may be disclosed when certain requirements are met Health plans are allowed to use or disclose PHI in the following circumstances: 8
  • 9. © benefitexpress 2016 For Treatment, Payment, and Health Care Operations • For its own treatment, payment, and health care operations; • For the treatment activities of another health care provider; • To another covered entity for the payment activities of the entity receiving the information; and • To another covered entity for certain health care operations activities of the entity that receives the information if each entity has (or had) a relationship with the individual who is the subject of the PHI, the PHI pertains to such relationship, and the purpose of the disclosure is one of those listed in the regulations A health plan may use and disclose PHI without authorization: 9
  • 10. © benefitexpress 2016 Requiring an Opportunity to Agree or Object The health plan may use and disclose PHI if individual has had opportunity to, prohibit the disclosure of such information in advance regarding to: • Disclosures of limited types of information to family members or close personal friends of the individual for care, payment for care, notification, and disaster relief purposes; and • Uses and disclosures of limited types of information for facility directory purposes (generally not applicable to health plans) • Exceptions 10
  • 11. © benefitexpress 2016 Requiring Individual Authorizations Individual authorizations are required whenever the use or disclosure is not permitted under privacy rules. May request authorization for another entity for: • Any purpose • But especially, before sending any marketing material 11
  • 12. © benefitexpress 2016 Without Individual Authorization • If required by law • To certain designated public agencies, individuals and the employer • Regarding an individual if a victim of designated abuse and certain other conditions are met • To a health oversight agency • In response to certain court proceedings • To a law enforcement officials if certain conditions are met • To a coroner or medical examiner of ID purposes • To organ procurement organizations for transplant purposes • To prevent health threat • For certain specified government purposes • To comply with Worker‘s Compensation purposes Health plans may disclose PHI without authorization: 12
  • 13. © benefitexpress 2016 For Health Plan Underwriting • Underwriting and placement of health coverage is a permissive health coverage operation • Sharing PHI with other covered entities for other purposes limited. • Authorizations may be necessary in some situations 13
  • 14. © benefitexpress 2016 Personal Representative, Minors, & Spouses • Covered entities must recognize a personal representative’s authority and provide information within that authority • But certain exceptions do apply • Parent’s authority • Spouse’s authority 14
  • 15. © benefitexpress 2016 Privacy Policy and Procedures Health plans must establish policies and procedures with respect to PHI that complies with: • HIPAA standards • Implementation specifications • Other requirements What is Required? 15
  • 16. © benefitexpress 2016 Privacy Notices Who is required to provide notices? • Covered Entities (Health Plan) What must the notices describe? • Uses and disclosures of PHI that may be made by the covered entity • Individual’s rights • Health plan’s legal duties with respect to PHI What are a health plan’s duties? • Must Provide own privacy notices if it has access to PHI • A health plan may arrange to have another entity to provide notice, but will be responsible if no notice is provided. 16
  • 17. © benefitexpress 2016 Privacy Official • A health plan must designate a privacy official • Privacy official is responsible for the development and implementation of policies and procedures • A privacy officer must be designated for each subsidiary that is a covered entity  A single corporate officer could be designated for multiple subsidiaries 17
  • 18. © benefitexpress 2016 Contact Person Covered entities must designate a contract person or office for receiving complaints • Such designation must be documented • Contact person must be able to provide additional information about matters that are covered in privacy notice 18
  • 19. © benefitexpress 2016 Health Care Security Requirements • Apply to the electronic storage and transmission of PHI • General effective date - April 21, 2006 • Covered entities must implement appropriate administrative, technical and physical safeguards for PHI • Privacy rules require “appropriate safeguards” for protecting PHI • No guidelines for PHI in oral, written or non-electronic form 19
  • 20. © benefitexpress 2016 • Any information transmitted by electronic media, maintained in electronic media or maintained in other form or medium • What is electronic media? • Certain transmissions are not covered What information must be protected? 20
  • 21. © benefitexpress 2016 Health Care Security Requirements • Ensure the confidentiality, integrity and availability of all electronic PHI that the covered entity creates, receives, maintains or transmits • Protect against any reasonably anticipated threats or hazards to the security or integrity of such information • Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required • Ensure compliance by the workforce What are the four general security requirements? 21
  • 22. © benefitexpress 2016 Health Care Security Requirements What are the security standards? • Administrative safeguards • Physical safeguards • Technical safeguards Covered entities must: • Use reasonable and appropriate measures to accomplish the requirements • Engage in risk analysis to determine how to comply 22
  • 23. © benefitexpress 2016 Electronic Transaction Requirements All covered entities must standardize the format and content of all electronic transactions when engaging in “covered transactions.” These are called the EDI Standards. 23
  • 24. © benefitexpress 2016 Electronic Transaction Requirements • Health claims and equivalent encounter information • Health care payment and remittance advice • Coordination of benefits • Health claim status • Enrollment and disenrollment in a health plan • Eligibility for a health plan • Health plan premium payments • Referral certification and authorization • First report of injury • Health claims attachments What are “covered transactions”? 24
  • 25. © benefitexpress 2016 Electronic Transaction Requirements • Covered entities in conducting covered transactions must use standardized formats and content, as well as uniform codes in communicating with other entities • Only those entities who conduct ”standard transactions” electronically or engage others to do so are subject to EDI standards • Health plans are considered to be covered entities and must comply with the EDI Standards, along with the additional requirements What are the EDI Standards requirements? 25
  • 26. © benefitexpress 2016 Electronic Transaction Requirements What transactions and transmissions are covered? Is the entity conducting the transaction a covered entity (or its business associate)? Does the transaction fall within the definition of one of the covered transactions? Covered entities must comply with the EDI Standards in certain stated transactions. Transactions within a covered entity are subject to the EDI Standards. 26
  • 27. © benefitexpress 2016 Electronic Transaction Requirements • Applies to transactions transmitted using electronic media • Does not apply to any transactions conducted in paper or over the telephone • Does not apply to noncovered entities • Does not apply to group health plans with under 50 participants • Does not apply to health plan sponsors because they are not covered entities EDI Requirements 27
  • 28. © benefitexpress 2016 Sharing PHI w/Plan Sponsor | Final Thoughts • De-identified information • Group health plan enrollment and disenrollment information • Limited summary health information for insurance placement and settlor function • PHI to plan sponsor personnel involved in plan administration when certain requirements are met • Pursuant to authorization A group health plan may not share PHI with plan sponsor except for disclosure of: 28
  • 29. © benefitexpress 2016 Certain Employer Functions Require Authorization • Health plans can not provide access to PHI to plan sponsors without certain plan provisions and safeguards • Disclosure must be for “plan administrative functions” • Health care providers and health plans may use and disclose PHI with an individual’s “authorization” for any purpose provided in the authorization 29
  • 30. © benefitexpress 2016 Certain Employer Functions Require Authorization • Plan must not condition treatment or payment on receipt of an authorization • In some circumstances, an employer may condition employment on receipt of authorization • Authorization may be required to obtain PHI for purposes of FMLA or ADA • An authorization may be required for an employer to assist employee with a claim • An authorization may be required for an employer to receive reports from EAP These functions include: 30
  • 31. © benefitexpress 2016 Exceptions for Some Common Employer Practices HIPAA includes numerous exceptions to broad use and disclosure rules Common employer practices that fall under these exceptions: • State/Federal disclosure requirements • Workers’ compensation • Health information contained in employment record 31
  • 32. © benefitexpress 2016 Special Concerns • Shred pertinent documents- do not simply discard them • Prohibit staff from accessing a participant’s medical records to learn a neighbor’s birthday or to satisfy a similar form of curiosity • Do not leave messages about a participant’s health on an answering machine or with someone other than the patient or doctor • Avoid discussions about a participant’s claims in elevators, cafeteria or other public places • Avoid paging participant’s using identifiable information • Do not fax information without knowing that the persons to whom the fax is addressed is ready to receive it • Do not allow faxes to sit on an office machine where unauthorized people may see them Change office behavior 32
  • 33. Final Regulations Related to HIPAA Security Breaches
  • 34. © benefitexpress 2016 Overview • American Recovery and Reinvestment Act of 2009 (ARRA) modified HIPAA • Security and privacy rules apply to Business Associates (BAs) • Created new notification rules for a Privacy breach  Notice to affected individuals  Notice to Media  Notice to the Department of Health and Human Services (HHS) • Penalties for non-compliance increased 34
  • 35. © benefitexpress 2016 Security and Privacy Rules Applied to Business Associates • Most security rules now apply to BAs • Some privacy rules now apply to BAs • Generally effective February 1, 2010:  Some provisions, such as the breach rules and penalties, can apply earlier  BAs must comply with electronic protected health information (PHI) and breach rules as of September 1, 2009, but do not need security policies and procedures until February, 2010 35
  • 36. © benefitexpress 2016 Breach Defined A breach is: “The acquisition, access, use or disclosure of PHI…”; [In a manner not otherwise permitted under the HIPAA privacy rule] “…which compromises the security or privacy of the PHI” Regulations do not incorporate the statute’s use of “accesses, maintains, retains, modifies, records, stores, destroys or otherwise holds, uses or discloses” unsecured PHI. 36
  • 37. © benefitexpress 2016 Breach Defined Compromises PHI is defined as a breach that poses “a significant risk of financial, reputational, or other harm.” BAs can make a judgment call about how significant a threat is. [If not significant, there is no breach and reporting is not required] Risk assessment should be done and documented so it can be demonstrated why a breach notice was not needed. 37
  • 38. © benefitexpress 2016 Breach Defined • Who impermissibly used PHI or to whom information was impermissibly disclosed • The nature of the PHI that was disclosed  For example: • If the name of an individual and plan participation are disclosed there could be a privacy breach, but there may be no harm • If the types of treatment or other sensitive information (social security number, account number, etc.) are revealed then there is a higher likelihood of harm  Many types of health details are sensitive these days given the risk of employment discrimination During an evaluation consider: 38
  • 39. © benefitexpress 2016 Breach Defined • Effective for breaches occurring 30 days on or after publication in the Federal Register • HHS will use its enforcement discretion and not impose penalties until February 22, 2010  No guidance on whether penalties could relate to actions taken between September 23, 2009 and February 21, 2010 • HHS does not have the authority to penalize BAs until February 18, 2010  This will not negate any potential exposure from breach of contract or negligence 39
  • 40. © benefitexpress 2016 Exceptions to Breach 1. Secured PHI 2. Unintentional acquisition, access or use by individual acting under authority of BA 3. Inadvertent disclosure from one covered entity to another covered entity 4. Unauthorized disclosure where the unauthorized individual would not reasonably have been able to retain the information 40
  • 41. © benefitexpress 2016 Exceptions to Breach Secured PHI • PHI that is held in a manner deemed to be “secure” • Electronic data protected by specified encryption technology • Paper or film records shredded or destroyed • Electronic media purged in accordance with specific standards Unsecured PHI • PHI that is not rendered unusable, unreadable or indecipherable to unauthorized individuals through technology or methodology approved by HHS • PHI in any form is covered (oral and written-both paper and electronic) • Access controls, firewalls, etc. do not make data secured • Redaction of paper documents does not make them secured 1. Secured PHI 41
  • 42. © benefitexpress 2016 Exceptions to Breach Safe harbor For data: • In motion (moving through a network) • At rest (in a database or flash drive) • In use (in process of being created, retrieved, updated or deleted) • Disposed (both discarded paper records and recycled electronic media) 1. Secured PHI 42
  • 43. © benefitexpress 2016 Exceptions to Breach The unintentional acquisition, access or use of PHI by a workforce member or person acting under the authority of the plan or BA if acquisition, access or use is in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under the HIPAA privacy rule. • Workforce member – includes employees, volunteers and others under the control of the plan • BA can be acting under the authority of the plan Example: An employee who is responsible for billing receives an email which contains PHI about a plan participant from another employee. The email was accidentally sent. The billing employee opens the email, notices she is not the intended recipient, alerts the employee who sent the email and then deletes the email. 2. Unintentional Acquisition 43
  • 44. © benefitexpress 2016 Exceptions to Breach Inadvertent disclosure by a person who is authorized to access PHI at a plan or BA to another person authorized to access PHI at the same plan or BA, if the PHI received is not further used or disclosed in a manner violating 45 CFR § 164 Part E. Example: A member of an appeals committee shares a participant’s PHI with another committee member. Member 1 thought the participant had appealed a claim, however it was actually a different participant’s appeal. Member 2 does not disclose or use the PHI. 3. Disclosure to Another Covered Entity 44
  • 45. © benefitexpress 2016 Exceptions to Breach Disclosure of PHI where a plan or BA has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain the PHI. Appears to apply to both physical (e.g., actual paper record) retention and mental retention. Example: A plan mails a number of EOBs to the wrong individual. The EOBs are returned by the post office as undeliverable. They are unopened. 4. Unauthorized Disclosure, Not Retained 45
  • 46. © benefitexpress 2016 Identification of Breach • whether there was an impermissible use or disclosure of PHI under the Subpart E • whether the impermissible use or disclosure compromises the security or privacy of the PHI and document such findings • if an exception applies Plan and BA must determine: 46
  • 47. © benefitexpress 2016 Notification Rules • BA should report the data to the plan within the timeframe allowed by their agreement  Do not need to report the breach to the affected individuals, unless the contract specifies • Plan must notify each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used or disclosed as a result of the breach • Plan may need to notify the media • Plan must notify HHS When a breach is discovered: 47
  • 48. © benefitexpress 2016 Notification Rules • First day on which the breach is known or should reasonably have been known by a covered entity or BA if they had exercised reasonable diligence • Plan and BA deemed to have knowledge of workforce members and any agents  Agent status determined using federal common law agency rules • BA is often an agent of the plan • Broad reach • If breaching employee never tells anyone of a breach, the breach occurred but cannot be discovered and therefore there is no reporting obligation Discovery of a breach 48
  • 49. © benefitexpress 2016 Notification Rules • Must notify plan after it discovers a breach of unsecured PHI  Same rules as for covered entities in determining when a breach is discovered • BA must provide notice to plan without unreasonable delay, but in no event later than 60 days after breach discovered • BA must provide a list of each individual whose PHI was breached and any other information the plan would need to send out notice to individuals Business Associate notification to plan 49
  • 50. © benefitexpress 2016 Notification Rules The Plan must notify each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired or disclosed as a result of the breach. • If BA discovers breach, must notify plan and should identify each individual who is affected. Notification must be made without unreasonable delay and be no later than 60 calendar days after discovery of the breach. • 60 days, from date breach first known, is the outside limit and may be unreasonable in some circumstances.  60 days begins even if initially unclear whether there was a breach • Burden of proof on covered entity/BA to show timeliness. Notice to Individuals 50
  • 51. © benefitexpress 2016 Notification Rules • Written notice should be sent by first-class mail to individuals last known address  May notify by email if the individual has consented  May notify next of kin or personal representative if the plan has that information • If it is an urgent situation, due to possible imminent misuse, notification may be made by telephone or other means in addition to the written notice  No guidance has been provided regarding what is considered urgent • Burden of proof is on the plan/BA to prove notifications provided Notice to Individuals 51
  • 52. © benefitexpress 2016 Notification Rules When direct notice is not possible due to the plan having insufficient or out of date contact information, may notify by substitute form. • For less than 10 individuals, it may be written notice, telephone notice or other means. • For more than 10 individuals, should be a conspicuous posting on the covered entity’s web site for 90 days or more or a conspicuous notice in a major print or broadcast media.  Toll-free phone number must be included so individuals can learn if unsecured PHI was breached.  Must be on the home page or the website or be a prominent hyperlink.  What constitutes a major print or broadcast media is a facts and circumstances test, which considers the geography of the individuals. Notice to Individuals 52
  • 53. © benefitexpress 2016 Notification Rules Notice must include: • Plain language, brief description of what happened including the date of breach and date of breach discovery • Type of unsecured PHI involved (e.g., social security number, full name, address, etc.) • Steps an individual should take to protect himself/herself from potential harm • Brief description of what is being done to remedy and mitigation the effects of the breach • Contact procedures for individuals to ask questions or get additional information  Must include a toll-free phone number, email address, web site or mailing address Notice to Individuals 53
  • 54. © benefitexpress 2016 Notification Rules Notice must be provided to prominent media outlets in the state or jurisdiction if unsecured PHI of more than 500 residents of the state or jurisdiction is or is reasonably believed to have been accessed, acquired or disclosed during a breach • Assumption that major media is similar to prominent media • Jurisdiction is smaller than a state (e.g., county or city) • Must affect 500 residents of the state or jurisdiction – if the total breach is more, but there are not 500 in a state or jurisdictions, this notice is not required This notice is in addition to the individual notice Media Notice 54
  • 55. © benefitexpress 2016 Notification Rules Notice must be provided to HHS if there is a breach of 500 or more individuals. • Notice must be submitted within same timeframe for sending notice to affected individuals. • Calculation of individuals is for a total discovered during investigation.  If there was an individual discovery of 400 individual, but upon investigation another 150 are discovered, must notify HHS. Log must be maintain and submitted annually to HHS for breaches of less than 500 individual. • Must be submitted within 60 days of the end of the calendar year. • HHS website will provide details on how to submit. HHS Notice 55
  • 56. © benefitexpress 2016 Other Changes • State notification laws not preempted unless they stand “as an obstacle” • Law enforcement delay of notification, verbal notice must be documented and is for a maximum of 30 days, written notice is for the time period specified • Must train workforce on requirements • Complaint processes must provide for the ability to include complaints regarding these processes • Retaliation/waiver/intimidating acts are prohibited • There are sanctions for failure to comply 56
  • 57. © benefitexpress 2016 Penalties/Enforcement • State notification laws not preempted unless they stand “as an obstacle” • Law enforcement delay of notification, verbal notice must be documented and is for a maximum of 30 days, written notice is for the time period specified • Must train workforce on requirements • Complaint processes must provide for the ability to include complaints regarding these processes • Retaliation/waiver/intimidating acts are prohibited • There are sanctions for failure to comply 57
  • 58. © benefitexpress 2016 Penalties/Enforcement HHS audits now required Penalty amounts: • Minimum $100 if did not know of violation and would not have known even with reasonable diligence – maximum $50K per violation, $1.5M total • Minimum $1,000 if reasonable cause and not willful neglect – maximum $50K per violation, $1.5M total • Minimum $10,000 if willful neglect but corrected – maximum $50K per violation, $1.5M total • Minimum $50,000 if willful neglect and not corrected – maximum $1.5M 58
  • 60. © benefitexpress 2016 Compliance Audits • OCR announced the launch of phase 2 of the audit program in March 2016. • Here are some things to expect: • Who may be audited?  OCR intends to audit a wide range of covered entities, and business associates will be added to the list of audit targets, now that OCR has direct enforcement authority over business associates.  OCR’s stated goal is to have a broad sample of audited entities, including each type of covered entity (plans, providers, and clearinghouses), different types of business associates, entities of different sizes, and entities located in various regions throughout the country. 60
  • 61. © benefitexpress 2016 Compliance Audits Phase 2 will be conducted in three rounds: • Round 1: The first round will be remote desk audits of covered entities, based on documents and other information received in response to an information request • Round 2: The second round will be remote desk audits of business associates, based on documents and other information received in response to an information request. Rounds 1 and 2 are expected to be completed by December 2016 • Round 3: The third set of audits will be on-site and will examine a broader scope of HIPAA requirements than the desk audits. Both covered entities and business associates, including those that already underwent a desk audit, may be subject to an on-site audits What is the structure of the audit program? 61
  • 62. © benefitexpress 2016 Compliance Audits • The audit process will employ common audit techniques • Entities selected for an audit will be sent an email notification of their selection and will be asked to provide documents and other data in response to a document request letter • Audited entities will submit documents online via a new secure audit portal on OCR’s website—within 10 business days after they receive OCR’s request • After reviewing relevant documentation and other information, auditors will develop and share draft findings with the audited entity • Audited entities will have the opportunity to respond to the draft findings, and their written responses will be included in the final audit report. Audit reports generally describe how the audit was conducted, discuss any findings, and contain entity responses to the draft findings How will the audit program work? 62
  • 63. © benefitexpress 2016 Compliance Audits • The timeline for desk audits is quite compressed • Once the auditor sends draft findings to the audited entity, the audited entity will have just 10 business days to review the findings and return written comments to the auditor • The auditor will complete a final report within 30 business days after receiving the audited entity’s comments • On-site audits will be conducted over a period of 3–5 days, depending on the size of the entity • As with desk audits, the audited entity will have just 10 business days to review and submit written comments on the auditor’s draft findings • The final audit report will be completed and furnished to the audited entity within 30 days after the audited entity’s response What is the audit timeline? 63
  • 64. © benefitexpress 2016 Compliance Audits OCR has indicated that desk audits will be more limited than on-site audits, but it is unclear how much more limited they will be. OCR also has released an updated audit protocol. Previously, OCR had suggested that the updated protocol would identify the areas that OCR would focus on during phase 2 audits, but the actual protocol does not really carry through on this suggestion—it lists all of the security rule’s requirements for administrative, physical, and technical safeguards and all of the breach notification rule’s requirements. What is the likely scope of an audit? 64
  • 65. © benefitexpress 2016 Compliance Audits The protocol is a little narrower with respect to the privacy rule, covering: • the Notice of Privacy Practices • the right to request privacy protection for PHI • access of individuals to PHI • administrative requirements (such as training, policies and procedures, sanctions, and document retention) • uses and disclosures of PHI • and individuals’ rights to request amendment of PHI and accountings of disclosures What is the likely scope of an audit? 65
  • 66. © benefitexpress 2016 Compliance Audits • Be alert to OCR communications • Don’t ignore OCR • Round up all the OCR inquiries • Have an audit response plan in place • Conduct a pre-audit review • Time is of the essence • Know your business associates • Develop or update compliance documents How do you prepare for a possible audit? 66
  • 68. © benefitexpress 2016 Contact Larry Grudzien Attorney at Law 708-717-9638 larry@larrygrudzien.com larrygrudzien.com 68