Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2004. Emerson Strategic Group, Inc. All Rights Reserved 1 Ninth National HIPAA Summit Auditing for Privacy Compliance: A Case Study September.

Published byMorgan Hardy Modified over 8 years ago

Similar presentations

Presentation on theme: "Copyright © 2004. Emerson Strategic Group, Inc. All Rights Reserved 1 Ninth National HIPAA Summit Auditing for Privacy Compliance: A Case Study September."— Presentation transcript:

1 Copyright © 2004. Emerson Strategic Group, Inc. All Rights Reserved 1 Ninth National HIPAA Summit Auditing for Privacy Compliance: A Case Study September 13, 2004 Baltimore, MD Mariann Yeager, MBA Emerson Strategic Group, Inc. 703.519.0817 tel 703.623.1924 cel myeager@emersonsg.com www.emersonsg.com

2 Copyright © 2004. Emerson Strategic Group, Inc. All Rights Reserved 2 WEDi SNIP Audit White Paper Auditing for Privacy Compliance Purpose Share strategies for organizing audit program Discussing various approaches given size and complexity of organization Build framework that adapts to change Scope Auditing compliance with HIPAA Privacy policies and procedures Safeguards – §164.530(c) http://www.wedi.org/cmsUploads/pdfUpload/WhitePap er/pub/P-Auditingv10.pdf

3 Copyright © 2004. Emerson Strategic Group, Inc. All Rights Reserved 3 WEDi SNIP White Paper Auditing for Privacy Compliance What is an Audit? Why Audit? Audit Process Structuring an audit program Who should conduct the audit Audit team Avoiding Pitfalls Don’t forget buy-in What to Audit How frequently Audit Methodology Blind or informed audit Self-audit tool Physical walkthrough Interviews Checklist or scorecard Output samples Auditing Results Packaging the Results Who should hear the results Handling violations and non-compliance

4 Copyright © 2004. Emerson Strategic Group, Inc. All Rights Reserved Auditing for Privacy Compliance A Case Study

5 Copyright © 2004. Emerson Strategic Group, Inc. All Rights Reserved 5 Case Study Covered Entity Profile HIPAA Implementation Efforts Audit Objectives Audit Methodology Identified Issues Recommendations

6 Copyright © 2004. Emerson Strategic Group, Inc. All Rights Reserved 6 Covered Entity Profile Plastic Surgery Practice Plan = Covered Entity Separate legal entity from School of Medicine Sub-specialty within Surgery Each practice Administrator responsible for P&L, operations, compliance, etc. Will migrate into one CE with other surgery groups within next 6 months - 2 years Numerous locations Some research (handful of studies) Primarily OHCA within hospital / clinics Facility, Reception, Nurse Manager, Nurses and Billing Staff are generally hospital Some separate non-OHCA locations

7 Copyright © 2004. Emerson Strategic Group, Inc. All Rights Reserved 7 HIPAA Implementation Efforts Administrator = Privacy Official Accountable to Surgery Administrator and School Compliance Office Diligent Implementation Effort: Used automated tool - assessment and template policies and procedures (P&P) Detailed review with nurses, researchers and medical secretaries Tailored P&P to their workflow General awareness training by School of Medicine and hospitals Additional functional training within practice plan Good documentation Thoughtful implementation

8 Copyright © 2004. Emerson Strategic Group, Inc. All Rights Reserved 8 Audit Objectives Assess how they are doing: Are their day-to-day practices compliant? Is the HIPAA manual adequate? Identify risks and exposure Use objective third party Identify changes and improvements Determine what they can do to keep compliance effort on track Ensure they are making the most of existing investment in compliance

9 Copyright © 2004. Emerson Strategic Group, Inc. All Rights Reserved 9 Audit Methodology Review documentation Forms, policies and procedures, Notice, Accounting, etc. Conduct visual walk through Safeguards, logistics and processes Conduct interviews with key people Complete Questionnaire Covers all privacy rule requirements Document key findings and recommendations in summary report Review with Administrator and Compliance Office

10 Copyright © 2004. Emerson Strategic Group, Inc. All Rights Reserved 10 Environmental Factors Shadow charts stored in Administrative Offices Door open – but in restricted area across from Administrator’s office Transported to/from clinic by Medical Secretary Safeguarding carts key Records Room

11 Copyright © 2004. Emerson Strategic Group, Inc. All Rights Reserved 11 Environmental Factors Staffed by hospital employees in OHCA locations Reliance on Hospital Notice/ Acknowledgement Patient Rights requests generally handled by clinic staff vs. Plastic Surgery staff Patient Check-In

12 Copyright © 2004. Emerson Strategic Group, Inc. All Rights Reserved 12 Environmental Factors Staffed by hospital employees in OHCA locations Carts used to transport records Open area Incidental disclosures common Training key Medical Secretary Work Area

13 Copyright © 2004. Emerson Strategic Group, Inc. All Rights Reserved 13 Environmental Factors Staffed by practice plan employees Schedule follow up appointments Backs up to check in desk Shared fax and printer OHCA in its truest sense Outpatient Checkout

14 Copyright © 2004. Emerson Strategic Group, Inc. All Rights Reserved 14 Identified Issues 1. Other covered entities in OHCA sometimes non-responsive in resolving issues 2. No procedures for verifying identity – particularly over the phone 3. No procedures for mitigation in the event of a breach 4. Authorizations missing key elements 5. Not documenting accounting of disclosures Disclosures made by physicians to Health Dept., Professional Boards, abuse, etc. Patient authorization in all other instances

15 Copyright © 2004. Emerson Strategic Group, Inc. All Rights Reserved 15 Identified Issues - Cont. 6. Unsure whether non-OHCA locations are properly documenting Notice Acknowledgement 7. Develop routine training for existing workforce 8. Lack of understanding of de-identification 9. Not tracking whether there are individual requests – e.g. restrictions on uses and disclosures of PHI

16 Copyright © 2004. Emerson Strategic Group, Inc. All Rights Reserved 16 Recommendations 1. Develop procedures for documenting disclosures (e.g. Health Dept., Professional Boards, abuse, etc.) 2. Develop checklist to verify that authorizations supplied by other parties contain all required elements 3. Develop procedures for verifying identity and mitigation 4. Train staff - escalating issues with OHCA hospitals and on new procedures and provide routine training (e.g. reminders, FAQs, etc.)

17 Copyright © 2004. Emerson Strategic Group, Inc. All Rights Reserved 17 Identified Issues - Cont. 5. Establish regular monitoring activities: Verify that non-OHCA locations are properly documenting Notice Acknowledgement Tracking whether patients are exercising their requests Verifying that procedures are being followed

18 Copyright © 2004. Emerson Strategic Group, Inc. All Rights Reserved 18 Ninth National HIPAA Summit Auditing for Privacy Compliance: A Case Study September 13, 2004 Baltimore, MD Mariann Yeager, MBA Emerson Strategic Group, Inc. 703.519.0817 tel 703.623.1924 cel myeager@emersonsg.com www.emersonsg.com

Download ppt "Copyright © 2004. Emerson Strategic Group, Inc. All Rights Reserved 1 Ninth National HIPAA Summit Auditing for Privacy Compliance: A Case Study September."

Similar presentations

H OGAN & H ARTSON, L.L.P.

H OGAN & H ARTSON, L.L.P.
Frequently Asked Questions…. …about HIPAA Notice of Privacy Practices and Acknowledgement.

Frequently Asked Questions…. …about HIPAA Notice of Privacy Practices and Acknowledgement.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.

Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna 412-396-4419.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Are you ready for HIPPO??? Welcome to HIPAA

Are you ready for HIPPO??? Welcome to HIPAA
Randy Benson RHQN Executive Director May, 2012. Compliance Issues During Survey Compliance Officers monitor healthcare facilities (hospitals and clinics)

Randy Benson RHQN Executive Director May, Compliance Issues During Survey Compliance Officers monitor healthcare facilities (hospitals and clinics)
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
Privacy, Security, Confidentiality, and Legal Issues

Privacy, Security, Confidentiality, and Legal Issues
August 10, 2001 NESNIP PRIVACY WORKGROUP HIPAA’s Minimum Necessary Standard Presented by: Mildred L. Johnson, J.D.

August 10, 2001 NESNIP PRIVACY WORKGROUP HIPAA’s Minimum Necessary Standard Presented by: Mildred L. Johnson, J.D.
Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 1 HIPAA Learning Module The following is an educational Powerpoint presentation on the.

Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
ELECTRONIC MEDICAL RECORDS By Group 5 members: Kinal Patel David A. Ronca Tolulope Oke.

ELECTRONIC MEDICAL RECORDS By Group 5 members: Kinal Patel David A. Ronca Tolulope Oke.
Standard 5: Patient Identification and Procedure Matching Nicola Dunbar, Accrediting Agencies Surveyor Workshop, 10 July 2012.

Standard 5: Patient Identification and Procedure Matching Nicola Dunbar, Accrediting Agencies Surveyor Workshop, 10 July 2012.

Similar presentations

Ads by Google