Presentation is loading. Please wait.

Presentation is loading. Please wait.

PHASE II OF HIPAA AUDIT PROGRAM June 2016 Presented by John P. Murdoch II, Esq. of Wilentz, Goldman & Spitzer, P.A. Two Industrial Way West Two Industrial.

Published bySibyl Adela Turner Modified over 7 years ago

Similar presentations

Presentation on theme: "PHASE II OF HIPAA AUDIT PROGRAM June 2016 Presented by John P. Murdoch II, Esq. of Wilentz, Goldman & Spitzer, P.A. Two Industrial Way West Two Industrial."— Presentation transcript:

1 PHASE II OF HIPAA AUDIT PROGRAM June 2016 Presented by John P. Murdoch II, Esq. of Wilentz, Goldman & Spitzer, P.A. Two Industrial Way West Two Industrial Way West Eatontown, NJ 07724 (732) 855-6008 jmurdoch@wilentz.com jmurdoch@wilentz.com

2 DISCLAIMER The information provided in this presentation is for discussion purposes only and may not be considered legal advice. The information presented is a brief summary of selected provisions of the HIPAA Privacy and Security Rules. Such rules as well as other applicable law must be carefully analyzed by each health care provider to determine such health care provider’s specific needs and legal obligations. Please consult with competent legal counsel to discuss the specific legal requirements for your entity. The information provided in this presentation is for discussion purposes only and may not be considered legal advice. The information presented is a brief summary of selected provisions of the HIPAA Privacy and Security Rules. Such rules as well as other applicable law must be carefully analyzed by each health care provider to determine such health care provider’s specific needs and legal obligations. Please consult with competent legal counsel to discuss the specific legal requirements for your entity.

3 Overview What was “Phase I” of the HIPAA Audit Program? What was “Phase I” of the HIPAA Audit Program? What is “Phase II” of the HIPAA Audit program? What is “Phase II” of the HIPAA Audit program? What are recent enforcement actions? What are recent enforcement actions? What should we be doing now? What should we be doing now?

4 “Phase I” HITECH requires OCR to conduct periodic audits of covered entities and business associates to determine compliance with the HIPAA Privacy, Security and Breach Notification Rules. HITECH requires OCR to conduct periodic audits of covered entities and business associates to determine compliance with the HIPAA Privacy, Security and Breach Notification Rules. In 2011 OCR conducted a pilot audit program to assess controls and processes of 115 covered entities. In 2011 OCR conducted a pilot audit program to assess controls and processes of 115 covered entities.

5 “Phase II” OCR has now launched “Phase II”. OCR has now launched “Phase II”. Who will be audited? Who will be audited? OCR has issued many letters to covered entities and business associates as part of this Phase II. OCR has issued many letters to covered entities and business associates as part of this Phase II. Desk audits and onsite audits of covered entities and then of business associates Desk audits and onsite audits of covered entities and then of business associates Documents to be submitted via secure audit portal WITHIN 10 days of request! Documents to be submitted via secure audit portal WITHIN 10 days of request! Auditee will have a chance to review and respond to draft findings. Auditee will have a chance to review and respond to draft findings.

6 “Phase II” Part of the process is for the OCR to learn. Part of the process is for the OCR to learn. Identify “best practices” Identify “best practices” Enable the OCR to “get out in front of problems before they result in breaches” Enable the OCR to “get out in front of problems before they result in breaches” Enable OCR to be able to issue guidance regarding compliance challenges Enable OCR to be able to issue guidance regarding compliance challenges

7 Selected Civil Resolutions HHS/OCR have imposed and collected more than $33 million in penalties. HHS/OCR have imposed and collected more than $33 million in penalties. Selected examples of recent civil enforcement actions: Selected examples of recent civil enforcement actions: NY Presbyterian $2.2 million settlement for unauthorized filming. NY Presbyterian $2.2 million settlement for unauthorized filming. Consider certain key factors: Consider certain key factors: “Virtually unfettered access” “Virtually unfettered access” A “medical professional urged the crew to stop” A “medical professional urged the crew to stop” Compromised conditions of patients who did not give appropriate authorization Compromised conditions of patients who did not give appropriate authorization

8 Selected Civil Resolutions Lahey Hospital and Medical Center $850,000 settlement and corrective action plan in connection with stolen laptop. Lahey Hospital and Medical Center $850,000 settlement and corrective action plan in connection with stolen laptop. Consider certain key factors: Consider certain key factors: Unlocked treatment room in which laptop was stored Unlocked treatment room in which laptop was stored Hard drive of laptop contained PHI of 599 patients Hard drive of laptop contained PHI of 599 patients “Failure to conduct a thorough risk analysis” “Failure to conduct a thorough risk analysis” Lack of a “unique user name for identifying and tracking user identity with respect to the workstation” Lack of a “unique user name for identifying and tracking user identity with respect to the workstation”

9 Selected Civil Resolutions University of Washington Medicine - $750,000 settlement for failing to implement policies and procedures to “prevent, detect, contain, and correct security violations.” University of Washington Medicine - $750,000 settlement for failing to implement policies and procedures to “prevent, detect, contain, and correct security violations.” Consider certain key factors: Consider certain key factors: Approximately 90,000 individuals’ PHI was accessed after an employee downloaded an attachment that contained malware. Approximately 90,000 individuals’ PHI was accessed after an employee downloaded an attachment that contained malware. Affiliated covered entities must have appropriate policies and procedures in place Affiliated covered entities must have appropriate policies and procedures in place “Limited risk analysis” “Limited risk analysis”

10 Selected Civil Resolutions  Raleigh Orthopaedic Clinic, P.A. - $750,000 settlement for failure to have Business Associate Agreement. Consider certain key factors: Consider certain key factors: Disclosure of PHI for approximately 17,300 individuals to a potential business partner without executing a business associate agreement and lack of safeguards Disclosure of PHI for approximately 17,300 individuals to a potential business partner without executing a business associate agreement and lack of safeguards North Memorial Health Care of Minnesota - $1,550,000 settlement North Memorial Health Care of Minnesota - $1,550,000 settlement Consider certain key factors: Consider certain key factors: Involved stolen laptop from an employee of a business associate containing PHI of 9,497 individuals Involved stolen laptop from an employee of a business associate containing PHI of 9,497 individuals

11 Selected Civil Resolutions Affinity Health paid $1.2 million to settle HIPAA violation claims arising out of its failure to scrub copiers of PHI before returning them to the equipment lessor. Affinity Health paid $1.2 million to settle HIPAA violation claims arising out of its failure to scrub copiers of PHI before returning them to the equipment lessor. Idaho State University paid $400,000 to settle a data breach resulting from the disabling of a firewall that remained undetected for 10 months. Idaho State University paid $400,000 to settle a data breach resulting from the disabling of a firewall that remained undetected for 10 months. Parkview and Cornell Prescription Pharmacy settlements concerning paper records Parkview and Cornell Prescription Pharmacy settlements concerning paper records Hospice of Northern Idaho: $50,000 for a breach arising out of the theft of an unencrypted laptop. Hospice of Northern Idaho: $50,000 for a breach arising out of the theft of an unencrypted laptop. See: http://www.hhs.gov/hipaa/newsroom/index.html

12 What do we do now?!

13 Requirements for Covered Entities Under HIPAA Risk Analysis Risk Analysis Have Policies and Procedures (Privacy, Security and Breach Notification Rules) Have Policies and Procedures (Privacy, Security and Breach Notification Rules) Implement appropriate administrative, technical, and physical safeguards to protect the privacy and security of PHI Implement appropriate administrative, technical, and physical safeguards to protect the privacy and security of PHI Notice of Privacy Practices Notice of Privacy Practices Designate a Privacy Officer and person responsible for receiving complaints regarding HIPAA Designate a Privacy Officer and person responsible for receiving complaints regarding HIPAA Provide training to workforce Provide training to workforce Implement “Business Associate” agreements Implement “Business Associate” agreements

14 Requirements for Covered Entities Under HIPAA Provide process for complaints and document all complaints received and their disposition Provide process for complaints and document all complaints received and their disposition Provide appropriate sanctions against members of its workforce who violate the privacy policies and procedures or the HIPAA privacy regulations and document sanctions Provide appropriate sanctions against members of its workforce who violate the privacy policies and procedures or the HIPAA privacy regulations and document sanctions Mitigate known harmful effects regarding use or disclosure of PHI in violation of policies and procedures or HIPAA regulations by a covered entity or a business associate Mitigate known harmful effects regarding use or disclosure of PHI in violation of policies and procedures or HIPAA regulations by a covered entity or a business associate

15 Requirements for Covered Entities Under HIPAA Permit access to information to Sect. of DH&HS Permit access to information to Sect. of DH&HS Cooperate with complaint investigations and compliance reviews by Secretary Cooperate with complaint investigations and compliance reviews by Secretary Refrain from retaliatory acts against persons exercising their rights to file a complaint with the DHHS, assisting in an investigation regarding impermissible disclosures, or opposing any unlawful act or practice made in good faith Refrain from retaliatory acts against persons exercising their rights to file a complaint with the DHHS, assisting in an investigation regarding impermissible disclosures, or opposing any unlawful act or practice made in good faith

16 Consider HIPAA Security Rules Compliance

17 Security Standards: General Rules (1) Ensure confidentiality, integrity, and availability of all electronic protected health information (“ePHI”) created, received, maintained, or transmitted. (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. (3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required. (4) Ensure compliance with the HIPAA Security Rules by workforce. 45 C.F.R. §164.306(a).

18 Flexibility of Approach May use any security measure that permits reasonable and appropriate implementation of the HIPAA Security Regulations. Consider the following: (i) Size, complexity, and capabilities. (ii) Technical infrastructure, hardware, and software security capabilities. (iii) Costs of security measures. (iv) Probability and criticality of potential risks to ePHI. 45 C.F.R. §164.306(b)(2)

19 Implementation Specifications: Required or Addressable Addressable: (i) Assess whether a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting ePHI; and (ii) (A) Implement the specification if reasonable and appropriate; or (B) If implementation is not reasonable and appropriate- (1) Document why it would not be reasonable and appropriate to implement the specification; and (2) Implement an equivalent alternative measure if reasonable and appropriate. 45 C.F.R. §164.306(d).

20 Administrative Safeguards Standards: 1. Security Management Process 2. Assigned Security Responsibility 3. Workforce Security 4. Information Access Management 5. Security Awareness and Training 6. Security Incident Procedures 7. Contingency Plan 8. Evaluations 9. Business Associate Agreements

21 Physical Safeguards Standards: 1. Facility Access Controls 2. Workstation Use 3. Workstation Security 4. Device and Media Controls

22 Technical Safeguards Standards: 1. Access Control 2. Audit Controls 3. Integrity 4. Person or Entity Authentication 5. Transmission Security

23 Useful Links U.S. Department of Health & Human Services Health Information Privacy http://www.hhs.gov/hipaa/index.html Launch of Phase II Audit Program: http://www.hhs.gov/hipaa/for-professionals/compliance- enforcement/audit/index.html

24 Thank you!

Download ppt "PHASE II OF HIPAA AUDIT PROGRAM June 2016 Presented by John P. Murdoch II, Esq. of Wilentz, Goldman & Spitzer, P.A. Two Industrial Way West Two Industrial."

Similar presentations

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
THE DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) OFFICE FOR CIVIL RIGHTS (OCR) ENFORCES THE HIPAA PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES HIPAA.

THE DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) OFFICE FOR CIVIL RIGHTS (OCR) ENFORCES THE HIPAA PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES HIPAA.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.

Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna 412-396-4419.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.

Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
HIPAA Security Risk Overview Lynne Shoemaker, RHIA, CHP, CHC OCHIN Integrity Officer Daniel M. Briley, CISSP, CIPP Summit Security Group.

HIPAA Security Risk Overview Lynne Shoemaker, RHIA, CHP, CHC OCHIN Integrity Officer Daniel M. Briley, CISSP, CIPP Summit Security Group.
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.

Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.
Health information security & compliance

Health information security & compliance

Similar presentations

Ads by Google