Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy, Security and Compliance Concerns for Management and Boards November 19, 2015 Carolyn Heyman-Layne, Esq. 1.

Published byMarilyn Phillips Modified over 8 years ago

Similar presentations

Presentation on theme: "Privacy, Security and Compliance Concerns for Management and Boards November 19, 2015 Carolyn Heyman-Layne, Esq. 1."— Presentation transcript:

1 Privacy, Security and Compliance Concerns for Management and Boards November 19, 2015 Carolyn Heyman-Layne, Esq. 1

2  HIPAA  Other potential privacy laws: 42 CFR Part 2, Privacy Act, FERPA, AK PIPA, other State laws  Other healthcare liability concerns for management and board members  Effective compliance plans 2

3  Quick summary of key concepts: HIPAA applies to Covered Entities. Covered Entities are required to protect Protected Health Information. Uses and disclosures are allowed for treatment, payment and health care operations. 3

4  It is the responsibility of the Covered Entity to enter into Business Associate Agreements with their business associates.  Business Associate Agreement can be separate document or included as provision in larger contract.  Covered Entity may be a business associate, as well as a covered entity. 4

5  Provide information to patients about their privacy rights and how their information can be used (Notice of Privacy Practices).  Adopt clear privacy procedures.  Train employees to understand privacy procedures.  Protect patient records that contain IIHI.  Report breaches of PHI. 5

6  The Security Rule was enacted to physically protect health information.  Focuses on administrative, physical and technical security of information. Administrative: Employee access rights Physical: Workstation locations Technical: Automatic logoff 6

7 HITECH/HIPAA  Acquisition, access, use or disclosure of PHI in a manner not permitted under HIPAA, which compromises the security or privacy of the PHI.  Only applies to “unsecured PHI”, such as unencrypted data on a laptop, etc. AK PERSONAL INFORMATION PROTECTION ACT (AK PIPA)  Unauthorized acquisition, or reasonable belief of unauthorized acquisition of personal information that compromises the security, confidentiality or integrity of the personal information.  Only applies to “personal information”: not encrypted or redacted; combination of name and identifying number (SSN, DL#, credit card or bank account, etc.) 7 Privacy breach insurance is available!!!

8 42 CFR Part 2 State LawHIPAA Least Strict Most Strict HIPAA is usually the minimum for confidentiality, and 42 CFR Part 2 is usually the maximum. 8

9 HIPAA  Covered Entities  Protected Health Information (PHI)  Protects medical record numbers  Allows disclosures without authorization for treatment, payment and healthcare operations  Business Associate Agreements 42 CFR PART 2  Part 2 Programs  Information that identifies substance abuser  Does not protect medical record numbers  Does not allow any disclosure without consent except in very limited special circumstances  Qualified Service Organization Agreements 9

10  Privacy Act of 1974 – primarily Alaska Native programs, but also Federal agencies  Alaska Personal Information Protection Act  FERPA – Family Educational Rights and Privacy Act – schools  State laws re: substance abuse, behavioral health, etc. 10

11  Management needs to understand how to implement and comply with these laws  Your board may encounter health information as well: Grievance procedures Discussion of compliance issues Direct patient contact  Case law has established a board’s duty to oversee a compliance program for healthcare organizations.  The Board is ultimately responsible, but management is responsible for getting them information. 11

12  Affordable Care Act Compliance Requirements  OIG Guidance  7 Elements of an Effective Compliance Plan  What Should Your Compliance Plan Cover?  Getting Ready for Enforcement & Audits 12

13  Affordable Care Act requires compliance program for providers enrolled in Medicare or Medicaid (including Denali Kidcare)  HHS and OIG to issue guidance  Timeline still unknown for small provider offices, but expected in next couple of years  Auditors may be looking for compliance elements, even if new guidance not issued 13

14  Requires Compliance Program as a Condition of Participation in Medicare All providers must certify that they have an effective compliance program Regulations expected for various provider types, nursing home regulations already issued Enforcement activity increased – MFCU, Audits, etc. Flexibility for varying size providers 14

15  Congress clarified obligation to report and refund Medicare and Medicaid overpayments: Now very clear that overpayments are to be reported and returned to Secretary, State, an intermediary, carrier or contractor as appropriate Must notify Secretary, State, intermediary, carrier or contractor in writing of reason for overpayment Must be done by later of:  60 days after identification  Date any corresponding cost report is due Problem: When is it “identified”? What about investigation? Liability for anyone who knows of an overpayment and fails to report/return it 15

16  Code of conduct w/written policies & procedures  Compliance officer, committee and high- level oversight  Effective training and education  Effective lines of communication  Well-publicized disciplinary standards  Effective system for routine monitoring and auditing  Prompt response to compliance issues 16

17 Code of conduct and standards describe the mission and big picture Policies set the expectation, general position of organization Procedures describe how to implement the policies 17

18  Standards for behavior and actions of everyone in the organization  Commitment to compliance  Communicate the Code of Conduct  Commit resources to the message  Support the Code of Conduct  Acknowledge the Code of Conduct 18

19  Designate a Compliance Officer May be combined with other roles – Privacy/Security Officer Should have high level of responsibility - management Proven trustworthiness  Authority to implement Compliance Plan Input into organization practices and policies Ability to influence behavior Reports to Board or Board level committee  Delegation to trustworthy individuals  You, as management, are ultimately responsible Don’t assume someone knows compliance because it was part of their old job!!!! 19

20  Communication should go in both directions  Employees should be provided alternatives for communication  Hotline process or other anonymous reporting method ideal  Stress non-retaliation  Provide variety of forums  Acknowledge and address employee concerns 20

21  Regular review of compliance policies and procedures for changes in law, activity, technology, etc.  Regular review and random audit of records: Documentation of services Billing/Coding Compare to regulations and other written requirements Look for discrepancies Retroactive or concurrent  Also utilized when suspicions arise, which means baseline is necessary  Also audit and monitor training and knowledge of employees  Feedback to employees after audit 21

22  Mitigation of event/issue  Evaluation and analysis of event/issue  Steps to prevent future issues: Disciplinary actions Education and training Changes to policies or procedure New policies and procedures New technologies Reserves for emergency circumstances  Voluntary Disclosure?  Outside consultants and/or legal counsel?  Notification of insurance, other parties? 22

23  60 day report and return rule – 60 days after identification  Penalties if you don’t report and return Monetary penalties Exclusion from programs Potential jail time (if criminal)  OIG has Self-Disclosure Protocol 90 day process Best to involve counsel Helps to reduce penalties, but does not eliminate them  Was it intentional? Could it have been prevented?  Should you have noticed earlier? 23

24  Develop written compliance program  Develop employee standards and code of conduct  Establish and train compliance committee may vary depending on size of organization  Distribute standards and code of conduct  Conduct Board/Management training  Conduct employee training, including info on how to access compliance documents  Conduct specialized training as necessary  Establish systems for monitoring 24

25  Periodically review compliance program, employee standards and code of conduct  Ensure that employee training is conducted and documented  Manage and monitor employee reporting process  Provide ongoing training, as needed  Ensure that compliance related files are maintained as described in plan  Ensure that monitoring and auditing systems are in place and working  Make periodic reports to the Board regarding compliance, even if no violations 25

26  Identify approval authority  Pilot procedures first  Make sure and get approvals in writing, with dates of enactment and review/revision  Don’t nitpick if it means significant delay (better to have something than nothing) 26

27  Head of compliance must report to governing authority  Compliance program must discover problem before outside discovery likely  Organization must report promptly to government  No person with operational responsibility should have participated, condoned or been willfully ignorant of offense 27

28  Medicare & Medicaid Billing Requirements  Medicare & Medicaid Documentation Requirements  Third Party Payor Requirements  Employment/Labor Law  Safety Laws  Reporting Requirements  HIPAA Privacy & Security  Stark & Anti-Kickback  Sarbanes-Oxley  Licensing Requirements  Other applicable laws or certification requirements 28

29  Licensing and certification  Education and training  Supervision and oversight  Credentialing and privileges  Practitioner type  Location of service  Scope of practice  Clinical forms and other paperwork 29

30  State of Alaska, Department of Health and Social Services  U.S. Department of Health and Human Services  Office of the Inspector General  Center for Medicare and Medicaid Services  FBI  Department of Justice  Office of Civil Rights  State Attorneys General 30

31  What laws apply to your organization?  What programs are in place to ensure compliance with those laws?  Who are the key employees responsible for compliance?  How and when do compliance issues get reported?  What are the goals of the compliance program? 31

32  What are the risks to the organization?  What resources are necessary to address those risks?  Have policies and procedures been implemented to address risks and laws?  Have training programs been implemented?  Is the Board informed of changes to regulatory and industry requirements that affect risk? 32

33  If there is a specific issue, ask for more information, outside expert review, whatever is necessary and reasonable to address the issue  Ask for regular reports and updates on the situation  Form an ad hoc committee to address, as necessary – may want a regular compliance committee 33

34  Are there guidelines for reporting violations to the Board?  Does the Board receive enough information to evaluate the appropriateness of the organization’s response?  Is there a policy regarding reporting to government and outside authorities? 34

35 Questions? 35

Download ppt "Privacy, Security and Compliance Concerns for Management and Boards November 19, 2015 Carolyn Heyman-Layne, Esq. 1."

Similar presentations

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
1. As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they.

1. As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
Confidentiality and HIPAA

Confidentiality and HIPAA
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) 252-9321; Victoria Nemerson.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.

Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
CHAPTER © 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2 HIPAA, HITECH, and Medical Records.

CHAPTER © 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2 HIPAA, HITECH, and Medical Records.
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.

Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
1 Louisiana Department of Health and Hospitals Basic HIPAA Privacy Training: Policies and Procedures 01/09/2009 0.

1 Louisiana Department of Health and Hospitals Basic HIPAA Privacy Training: Policies and Procedures 01/09/
WHAT IS HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides certain protections for any of your health information.

WHAT IS HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides certain protections for any of your health information.
 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”

 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Are you ready for HIPPO??? Welcome to HIPAA

Are you ready for HIPPO??? Welcome to HIPAA

Similar presentations

Ads by Google