Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA Audits are Here - Be Ready! Presenter: Diane Evans, PUBLISHER, MyHIPAA Guide Diane Evans: Phone:

Published byEustace Harrell Modified over 7 years ago

Similar presentations

Presentation on theme: "HIPAA Audits are Here - Be Ready! Presenter: Diane Evans, PUBLISHER, MyHIPAA Guide Diane Evans: Phone:"— Presentation transcript:

1 HIPAA Audits are Here - Be Ready! Presenter: Diane Evans, PUBLISHER, MyHIPAA Guide Email Diane Evans: devans@medmediamart.com Phone: 1-877-438-1386 http://MyHIPAAGuide.com

2 Goals for Providers: 1. Create a culture of vigilance 2. Protect patient/resident information 3. Avoid fines, settlements and corrective action plans

3 Presentation Covers: 1. HIPAA Overview/How to Create a Culture of Compliance 2. 10 Step Plan to Compliance 3. What to Expect in an Audit

4 In the beginning... 1996: Passage of the Health Insurance Portability and Accountability Act (HIPAA) Mandates include: ● National security standards for the use of electronic healthcare information ● Privacy standards for protected health information Through the mid 2000s: Little enforcement By 2008: 33,000 complaints filed, resulting in 8,000 investigations and no fines.

5 A natural disaster changes everything 2005: Katrina reveals the public threat of mass loss of paper health records 2009: Passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act Result: ● The law strengthens civil and criminal enforcement of the HIPAA rules and requires audits for enforcement.

6 Now we’re ready to go to work. So first things first. Create authority & a clear job description for the Compliance Officer The CO’s job is to: Cultivate an environment of compliance Develop a system for compliance, recognizing it takes a community to foster integrity that results in daily vigilance

7 Execute a Compliance Program Charter Build a solid foundation to support the Compliance Officer: 1. Set forth principles of Professional Ethics & Integrity 2. Spread the responsibility: Compliance is everyone’s job 3. Spell out the specific tasks assigned to the Compliance Officer 4. Protect the Compliance Officer from liability/retaliation Note: A sample Compliance Program Charter will be provided on request

8 Now the CO can tend to the details of what to do In 2013, the US Department of Health and Human Services announced a 10 step plan for compliance as an easy reference point:US Department of Health and Human Services Step 1: Make sure you need to comply with HIPAA Step 2: Put somebody in charge: You need both a Privacy Official and a Security Official. The same person may fill both roles depending on the size of your organization.

9 Step 3: Document processes, findings, and actions Document everything, including risk assessments, procedures, actions, findings, staff training, and everything else covered in the 10 Step Plan. Organize your compliance documentation in central locations, so both paper and electronic records can be easily referenced. In an audit, expect the first request to be for your documentation.

10 Step 4: Conduct a security risk analysis This is one of the most critical steps for compliance. Protect PHI as you would protect your home. In other words, think about risks and what you can do to minimize them. Community-based agencies: Assess risks at every location where private health information is stored. ● Anticipate ways someone, or some group, might compromise files or databases containing PHI, followed by actions to reduce risks ● Plan for disasters such as floods or disruptions such as power outages

11 Steps 5 & 6: Develop an action plan & carry it out daily Using your risk analysis results, develop an action plan to mitigate the identified risks. Action plans should cover five broad categories: 1. Administrative safeguards: Create processes for achieving compliance 2. Physical safeguards: Protect facilities where health information is stored 3. Technical safeguards: Guard databases, computers and other devices containing PHI 4. Policies and procedures: Develop formal policies and procedures and document everything 5. Organizational practices: Practice daily habits that create a mindset of protecting individual health information

12 Step 7: Prevent Breaches To safeguard patient health information, staff must know how to implement policies, procedures, and security audits. HIPAA requires workforce training on policies and procedures. Staff must also receive formal training on breach notification.

13 Step 8: Communicate with patients First keep in mind this overarching principle: Communicating privacy obligations is more than just an exercise in form development and standard procedures. It’s about communicating a PROMISE to people to protect their rights to privacy. For an organization, it’s about transparency and ultimately INTEGRITY - to be true to the talk!

14 Step 8 Con’t: Patient Privacy Notices Treat your privacy notice as more than just a boilerplate document Key points to keep in mind: ~It’s not a one and done -- they need updated regularly; set a policy to review them every two years for updates ~Don’t just hand them out for a signature; create a ‘script’ for your staff so they can explain patient rights ~Create a laminated ‘card’ with highlights and call-outs as a way of educating your staff (e.g. so they know when they are obligated to share information with police officers and other authorities) ~ Make privacy notices accessible to your patients and their families or guardians; provide them in English, Spanish or any other language that your patients may speak (Google Translator can help!) ~Finally, POST THEM – make them available on your website and in common areas people in your organization see; make them BIG and COLORFUL

15 Step 8 Con’t: Breach Notification It’s not only the law, it’s about Promises to People Even though HIPAA laws have strict guidelines to notify people when information is compromised, make HIPAA the basement rule. Set your standard so it just doesn’t meet the MANDATORY requirement. Set your standard high and share it with the people you serve. Key points to consider as your standard: ~ While we take every step possible to protect information, if privacy is compromised for ANY reason, we promise to let you know and make it right to the best of our ability. ~ We promise to train our staff to avoid any possible breaches or exposures – and if breaches occur, we promise to take any and all appropriate actions (up to and including disciplinary action). ~ We promise to let you know your rights. If we made a mistake and you aren’t happy with our corrective actions, we will let you know how to file a claim with US Office for Civil Rights.

16 Step 9: Update or execute BAAs A Business Associate is a person or organization (other than an employee of a covered entity) who performs functions or provides services related to creating, receiving, maintaining, or transmitting PHI on behalf of your organization. A written contract with your Business Associate must: ● Detail the uses and disclosures of PHI the Business Associate may make ● Require that the Business Associate safeguard PHI

17 Step 10: Attest for the Security Risk Analysis Meaningful Use Objective Pertains only to providers in the Medicare/Medicaid Incentive Program

18 How to accomplish compliance with clear goals in mind ~ Create a work plan with specific tasks/deliverables assigned to appropriate individuals ~ Organize your plan around major priorities, such as policy management, risk assessment and vendor/contractor accountability ~ Set deadlines

19 Sample organizational structure for a work plan

20 Successful Leadership = A Culture of Compliance Evidenced by: ~Staff take privacy issues seriously ~Safeguards become daily routines ~Staff expect to be held accountable

21 Penalty Schedule Source: American Medical AssociationAmerican Medical Association HIPAA violationMinimum PenaltyMaximum Penalty Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA $100 per violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation) $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation due to reasonable cause and not due to willful neglect $1,000 per violation, with an annual maximum of $100,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation due to willful neglect but violation is corrected within the required time period $10,000 per violation, with an annual maximum of $250,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation is due to willful neglect and is not corrected $50,000 per violation, with an annual maximum of $1.5 million

22 Disclaimer: The content of this presentations is informational only and does not constitute legal advice. Health care providers need to assess their own legal obligations.

Download ppt "HIPAA Audits are Here - Be Ready! Presenter: Diane Evans, PUBLISHER, MyHIPAA Guide Diane Evans: Phone:"

Similar presentations

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
Confidentiality and HIPAA

Confidentiality and HIPAA
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.

Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.

Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna 412-396-4419.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
© 2009 The McGraw-Hill Companies, Inc. All rights reserved 3-1 LEGAL AND ETHICAL ISSUES in Medical Practice, Including HIPAA PowerPoint® presentation.

© 2009 The McGraw-Hill Companies, Inc. All rights reserved 3-1 LEGAL AND ETHICAL ISSUES in Medical Practice, Including HIPAA PowerPoint® presentation.
CHAPTER © 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2 The Use of Health Information Technology in Physician Practices.

CHAPTER © 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2 The Use of Health Information Technology in Physician Practices.
Forming Your HIPAA Compliance Plan PRESENTED BY. Daniel B. Brown, Esq. Healthcare Attorney Taylor English Duma LLP Jason Karn Director Training and IT.

Forming Your HIPAA Compliance Plan PRESENTED BY. Daniel B. Brown, Esq. Healthcare Attorney Taylor English Duma LLP Jason Karn Director Training and IT.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.

Similar presentations

Ads by Google