Copyright © 2004. Emerson Strategic Group, Inc. All Rights Reserved 1 Ninth National HIPAA Summit Auditing for Privacy Compliance: A Case Study September.

Slides:

Advertisements

Similar presentations

H OGAN & H ARTSON, L.L.P.

Advertisements

Frequently Asked Questions…. …about HIPAA Notice of Privacy Practices and Acknowledgement.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna

NAU HIPAA Awareness Training

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

HIPAA Regulations What do you need to know?.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

Are you ready for HIPPO??? Welcome to HIPAA

Randy Benson RHQN Executive Director May, Compliance Issues During Survey Compliance Officers monitor healthcare facilities (hospitals and clinics)

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

Privacy, Security, Confidentiality, and Legal Issues

August 10, 2001 NESNIP PRIVACY WORKGROUP HIPAA’s Minimum Necessary Standard Presented by: Mildred L. Johnson, J.D.

Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

ELECTRONIC MEDICAL RECORDS By Group 5 members: Kinal Patel David A. Ronca Tolulope Oke.

Standard 5: Patient Identification and Procedure Matching Nicola Dunbar, Accrediting Agencies Surveyor Workshop, 10 July 2012.

COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.

1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Notice of Privacy Practices Nebraska SNIP Privacy Subgroup July 18, 2002 Michael J. Brown, MHA, CPA Vice-President, Administrative & Regulatory Affairs,

Component 2: The Culture of Health Care Unit 3: Health Care Settings— The Places Where Care Is Delivered Lecture 3 This material was developed by Oregon.

Privacy and Security Tiger Team Subgroup Discussion: MU3 RFC July 29, 2013.

HIPAA PRIVACY AND SECURITY AWARENESS.

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.

2012 Audits of Covered Entity Compliance with HIPAA Privacy, Security and Breach Notification Rules Initial Analysis February 2013.

Marcia Gonzales, JD Compliance Officer & Privacy Officer

April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.

Copyright © 2008 Delmar Learning. All rights reserved. Unit 8 Observation, Reporting, and Documentation.

© 2009 The McGraw-Hill Companies, Inc. All rights reserved. 1 McGraw-Hill Chapter 2 The HIPAA Privacy Standards HIPAA for Allied Health Careers.

Medical Law and Ethics, Third Edition Bonnie F. Fremgen Copyright ©2009 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved.

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

© 2013 The McGraw-Hill Companies, Inc. All rights reserved. Ch 8 Privacy Law and HIPAA.

The Fifth National HIPAA Summit – October 30, 2002 What to Do Now: Operational Implementation of HIPAA Privacy and Security Training Presented by: Steven.

FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.

HIPAA BASIC TRAINING Presented by Anderson Health Information Systems, Inc.

HIPAA BASIC TRAINING MODULE 1C – Overview (For staff who do not generally create Protected Health Information) Anderson Health Information Systems, Inc.

HIPAA PRACTICAL APPLICATION WORKSHOP Orientation Module 1B Anderson Health Information Systems, Inc.

HIPAA THE PRIVACY RULE. 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti- depressant medications.

Seventh National HIPAA Summit HIPAA Compliance Case Study: HIPAA and Academic Medicine - Lessons Learned Past, Present and Future.

OHCAs, ACEs and Hybrid Entities Paul Smith Davis Wright Tremaine LLP One Embarcadero Center Suite 600 San Francisco, CA (415)

Rhonda Anderson, RHIA, President  …is a PROCESS, not a PROJECT 2.

Copyright ©2014 by Saunders, an imprint of Elsevier Inc. All rights reserved 1 Chapter 02 Compliance, Privacy, Fraud, and Abuse in Insurance Billing Insurance.

1 Privacy Plan of Action © HIPAA Pros 2002 All rights reserved.

Privacy in 24 Hours: or 140,000 Hours Roy Rada, M.D., Ph.D. Prof. at UMBC, Publisher of

John DesMarteau, MD FACA Kaiser Permanente Mid-Atlantic HIPAA Project HIPAA Summit V A Case Study: Kaiser’s HIPAA Compliance from the Perspectives of.

HIPAA Privacy Rule Implementation Status Report Richard M. Campanelli, J.D. Director, Office for Civil Rights Before the The Tenth National HIPAA Summit.

Organizing a Privacy Program: Administrative Infrastructure and Reporting Relationships Presented by: Samuel P. Jenkins, Director Defense Privacy Office.

HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.

Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.

Strategic Approaches to HIPAA Access & Audit HIPAA Summit West II March 15, 2002 San Francisco, CA Mariann Yeager tel cel

New Hire HIPAA Orientation. HIPAA Overview HIPAA is an acronym that stands for the Health Insurance Portability and Accountability Act of HIPAA.

COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,

HIPAA: So You Think You’re Compliant September 1, 2011 Carolyn Heyman-Layne, J.D.

April 14, 2003 – HIPAA Privacy Audioconference The Importance of April 14, 2003: Where you should be regarding HIPAA privacy policies and procedures and.

Audit Trail LIS 4776 Advanced Health Informatics Week 14

HOGAN & HARTSON, L.L.P. “Publications” “Health”

HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT

Disability Services Agencies Briefing On HIPAA

HIPAA Privacy and Security Summit 2018 HIPAA Privacy Rule: Compliance Plans, Training, Internal Audits and Patient Rights Widener University Delaware.

Lesson 1  7 Basic Components of an Effective Compliance Plan

Drew Hunt Network Security Analyst Valley Medical Center

HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.

HIPAA Policy & Procedure Strategies

The Health Insurance Portability and Accountability Act

Presentation transcript:

Copyright © Emerson Strategic Group, Inc. All Rights Reserved 1 Ninth National HIPAA Summit Auditing for Privacy Compliance: A Case Study September 13, 2004 Baltimore, MD Mariann Yeager, MBA Emerson Strategic Group, Inc tel cel

Copyright © Emerson Strategic Group, Inc. All Rights Reserved 2 WEDi SNIP Audit White Paper Auditing for Privacy Compliance Purpose Share strategies for organizing audit program Discussing various approaches given size and complexity of organization Build framework that adapts to change Scope Auditing compliance with HIPAA Privacy policies and procedures Safeguards – § (c) er/pub/P-Auditingv10.pdf

Copyright © Emerson Strategic Group, Inc. All Rights Reserved 3 WEDi SNIP White Paper Auditing for Privacy Compliance What is an Audit? Why Audit? Audit Process Structuring an audit program Who should conduct the audit Audit team Avoiding Pitfalls Don’t forget buy-in What to Audit How frequently Audit Methodology Blind or informed audit Self-audit tool Physical walkthrough Interviews Checklist or scorecard Output samples Auditing Results Packaging the Results Who should hear the results Handling violations and non-compliance

Copyright © Emerson Strategic Group, Inc. All Rights Reserved Auditing for Privacy Compliance A Case Study

Copyright © Emerson Strategic Group, Inc. All Rights Reserved 5 Case Study Covered Entity Profile HIPAA Implementation Efforts Audit Objectives Audit Methodology Identified Issues Recommendations

Copyright © Emerson Strategic Group, Inc. All Rights Reserved 6 Covered Entity Profile Plastic Surgery Practice Plan = Covered Entity Separate legal entity from School of Medicine Sub-specialty within Surgery Each practice Administrator responsible for P&L, operations, compliance, etc. Will migrate into one CE with other surgery groups within next 6 months - 2 years Numerous locations Some research (handful of studies) Primarily OHCA within hospital / clinics Facility, Reception, Nurse Manager, Nurses and Billing Staff are generally hospital Some separate non-OHCA locations

Copyright © Emerson Strategic Group, Inc. All Rights Reserved 7 HIPAA Implementation Efforts Administrator = Privacy Official Accountable to Surgery Administrator and School Compliance Office Diligent Implementation Effort: Used automated tool - assessment and template policies and procedures (P&P) Detailed review with nurses, researchers and medical secretaries Tailored P&P to their workflow General awareness training by School of Medicine and hospitals Additional functional training within practice plan Good documentation Thoughtful implementation

Copyright © Emerson Strategic Group, Inc. All Rights Reserved 8 Audit Objectives Assess how they are doing: Are their day-to-day practices compliant? Is the HIPAA manual adequate? Identify risks and exposure Use objective third party Identify changes and improvements Determine what they can do to keep compliance effort on track Ensure they are making the most of existing investment in compliance

Copyright © Emerson Strategic Group, Inc. All Rights Reserved 9 Audit Methodology Review documentation Forms, policies and procedures, Notice, Accounting, etc. Conduct visual walk through Safeguards, logistics and processes Conduct interviews with key people Complete Questionnaire Covers all privacy rule requirements Document key findings and recommendations in summary report Review with Administrator and Compliance Office

Copyright © Emerson Strategic Group, Inc. All Rights Reserved 10 Environmental Factors Shadow charts stored in Administrative Offices Door open – but in restricted area across from Administrator’s office Transported to/from clinic by Medical Secretary Safeguarding carts key Records Room

Copyright © Emerson Strategic Group, Inc. All Rights Reserved 11 Environmental Factors Staffed by hospital employees in OHCA locations Reliance on Hospital Notice/ Acknowledgement Patient Rights requests generally handled by clinic staff vs. Plastic Surgery staff Patient Check-In

Copyright © Emerson Strategic Group, Inc. All Rights Reserved 12 Environmental Factors Staffed by hospital employees in OHCA locations Carts used to transport records Open area Incidental disclosures common Training key Medical Secretary Work Area

Copyright © Emerson Strategic Group, Inc. All Rights Reserved 13 Environmental Factors Staffed by practice plan employees Schedule follow up appointments Backs up to check in desk Shared fax and printer OHCA in its truest sense Outpatient Checkout

Copyright © Emerson Strategic Group, Inc. All Rights Reserved 14 Identified Issues 1. Other covered entities in OHCA sometimes non-responsive in resolving issues 2. No procedures for verifying identity – particularly over the phone 3. No procedures for mitigation in the event of a breach 4. Authorizations missing key elements 5. Not documenting accounting of disclosures Disclosures made by physicians to Health Dept., Professional Boards, abuse, etc. Patient authorization in all other instances

Copyright © Emerson Strategic Group, Inc. All Rights Reserved 15 Identified Issues - Cont. 6. Unsure whether non-OHCA locations are properly documenting Notice Acknowledgement 7. Develop routine training for existing workforce 8. Lack of understanding of de-identification 9. Not tracking whether there are individual requests – e.g. restrictions on uses and disclosures of PHI

Copyright © Emerson Strategic Group, Inc. All Rights Reserved 16 Recommendations 1. Develop procedures for documenting disclosures (e.g. Health Dept., Professional Boards, abuse, etc.) 2. Develop checklist to verify that authorizations supplied by other parties contain all required elements 3. Develop procedures for verifying identity and mitigation 4. Train staff - escalating issues with OHCA hospitals and on new procedures and provide routine training (e.g. reminders, FAQs, etc.)

Copyright © Emerson Strategic Group, Inc. All Rights Reserved 17 Identified Issues - Cont. 5. Establish regular monitoring activities: Verify that non-OHCA locations are properly documenting Notice Acknowledgement Tracking whether patients are exercising their requests Verifying that procedures are being followed

Copyright © Emerson Strategic Group, Inc. All Rights Reserved 18 Ninth National HIPAA Summit Auditing for Privacy Compliance: A Case Study September 13, 2004 Baltimore, MD Mariann Yeager, MBA Emerson Strategic Group, Inc tel cel