PHASE II OF HIPAA AUDIT PROGRAM June 2016 Presented by John P. Murdoch II, Esq. of Wilentz, Goldman & Spitzer, P.A. Two Industrial Way West Two Industrial.

Slides:



Advertisements
Similar presentations
Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.
Advertisements

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
THE DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) OFFICE FOR CIVIL RIGHTS (OCR) ENFORCES THE HIPAA PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES HIPAA.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
HIPAA Security Risk Overview Lynne Shoemaker, RHIA, CHP, CHC OCHIN Integrity Officer Daniel M. Briley, CISSP, CIPP Summit Security Group.
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.
Health information security & compliance
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
Implementing and Enforcing the HIPAA Privacy Rule.
1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
IT’S OFFICIAL: GOVERNMENT AUDITING OF SECURITY RULE COMPLIANCE Nancy Davis, MS, RHIA Director of Privacy/Security Officer, Ministry Health Care & Catherine.
What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions.
HIPAA PRIVACY AND SECURITY AWARENESS.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.
2012 Audits of Covered Entity Compliance with HIPAA Privacy, Security and Breach Notification Rules Initial Analysis February 2013.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
Privacy and Security Risks to Rural Hospitals John Hoyt, Partner December 6, 2013.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.
Eliza de Guzman HTM 520 Health Information Exchange.
MU and HIPAA Compliance 101 Robert Morris VP Business Services Ion IT Group, Inc
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
1 HIPAA Administrative Simplification Standards Yesterday, Today, and Tomorrow Stanley Nachimson CMS Office of HIPAA Standards.
Working with HIT Systems
Copyright ©2014 by Saunders, an imprint of Elsevier Inc. All rights reserved 1 Chapter 02 Compliance, Privacy, Fraud, and Abuse in Insurance Billing Insurance.
Davis Wright Tremaine LLP Responding to Your Worst Security Breach Nightmare: When Patient Information Is Stolen Rebecca L. Williams, R.N., J.D. Partner.
Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall Installation and Maintenance of Health IT Systems Unit 6a System Security Procedures.
1 Privacy Plan of Action © HIPAA Pros 2002 All rights reserved.
Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.
Top 10 Series Changes to HIPAA Devon Bernard AOPA Reimbursement Services Coordinator.
HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education September 2014.
Case Study: Applying Authentication Technologies as Part of a HIPAA Compliance Strategy.
HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.
How to Survive a HIPAA Audit Compliance Counsel February 2014.
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
HIPAA TRIVIA Do you know HIPAA?. HIPAA was created by?  The Affordable Care Act  Health Insurance companies  United States Congress  United States.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill/Irwin Chapter 6 The Privacy and Security of Electronic Health Information.
HIPAA: So You Think You’re Compliant September 1, 2011 Carolyn Heyman-Layne, J.D.
Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a This material Comp8_Unit6a was developed by Duke University,
Privacy & Information Security Basics
Enforcement, Business Associates and Breach Notification. Oh my!
HIPAA CONFIDENTIALITY
HIPAA.
Health Insurance Portability and Accountability Act
HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT
Health Insurance Portability and Accountability Act
HIPAA Privacy and Security Summit 2018 HIPAA Privacy Rule: Compliance Plans, Training, Internal Audits and Patient Rights Widener University Delaware.
HIPAA Security Standards Final Rule
Paul T. Smith, Esq. Partner, Davis Wright Tremaine LLP
Drew Hunt Network Security Analyst Valley Medical Center
HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.
WELCOME.
Presentation transcript:

PHASE II OF HIPAA AUDIT PROGRAM June 2016 Presented by John P. Murdoch II, Esq. of Wilentz, Goldman & Spitzer, P.A. Two Industrial Way West Two Industrial Way West Eatontown, NJ (732)

DISCLAIMER The information provided in this presentation is for discussion purposes only and may not be considered legal advice. The information presented is a brief summary of selected provisions of the HIPAA Privacy and Security Rules. Such rules as well as other applicable law must be carefully analyzed by each health care provider to determine such health care provider’s specific needs and legal obligations. Please consult with competent legal counsel to discuss the specific legal requirements for your entity. The information provided in this presentation is for discussion purposes only and may not be considered legal advice. The information presented is a brief summary of selected provisions of the HIPAA Privacy and Security Rules. Such rules as well as other applicable law must be carefully analyzed by each health care provider to determine such health care provider’s specific needs and legal obligations. Please consult with competent legal counsel to discuss the specific legal requirements for your entity.

Overview What was “Phase I” of the HIPAA Audit Program? What was “Phase I” of the HIPAA Audit Program? What is “Phase II” of the HIPAA Audit program? What is “Phase II” of the HIPAA Audit program? What are recent enforcement actions? What are recent enforcement actions? What should we be doing now? What should we be doing now?

“Phase I” HITECH requires OCR to conduct periodic audits of covered entities and business associates to determine compliance with the HIPAA Privacy, Security and Breach Notification Rules. HITECH requires OCR to conduct periodic audits of covered entities and business associates to determine compliance with the HIPAA Privacy, Security and Breach Notification Rules. In 2011 OCR conducted a pilot audit program to assess controls and processes of 115 covered entities. In 2011 OCR conducted a pilot audit program to assess controls and processes of 115 covered entities.

“Phase II” OCR has now launched “Phase II”. OCR has now launched “Phase II”. Who will be audited? Who will be audited? OCR has issued many letters to covered entities and business associates as part of this Phase II. OCR has issued many letters to covered entities and business associates as part of this Phase II. Desk audits and onsite audits of covered entities and then of business associates Desk audits and onsite audits of covered entities and then of business associates Documents to be submitted via secure audit portal WITHIN 10 days of request! Documents to be submitted via secure audit portal WITHIN 10 days of request! Auditee will have a chance to review and respond to draft findings. Auditee will have a chance to review and respond to draft findings.

“Phase II” Part of the process is for the OCR to learn. Part of the process is for the OCR to learn. Identify “best practices” Identify “best practices” Enable the OCR to “get out in front of problems before they result in breaches” Enable the OCR to “get out in front of problems before they result in breaches” Enable OCR to be able to issue guidance regarding compliance challenges Enable OCR to be able to issue guidance regarding compliance challenges

Selected Civil Resolutions HHS/OCR have imposed and collected more than $33 million in penalties. HHS/OCR have imposed and collected more than $33 million in penalties. Selected examples of recent civil enforcement actions: Selected examples of recent civil enforcement actions: NY Presbyterian $2.2 million settlement for unauthorized filming. NY Presbyterian $2.2 million settlement for unauthorized filming. Consider certain key factors: Consider certain key factors: “Virtually unfettered access” “Virtually unfettered access” A “medical professional urged the crew to stop” A “medical professional urged the crew to stop” Compromised conditions of patients who did not give appropriate authorization Compromised conditions of patients who did not give appropriate authorization

Selected Civil Resolutions Lahey Hospital and Medical Center $850,000 settlement and corrective action plan in connection with stolen laptop. Lahey Hospital and Medical Center $850,000 settlement and corrective action plan in connection with stolen laptop. Consider certain key factors: Consider certain key factors: Unlocked treatment room in which laptop was stored Unlocked treatment room in which laptop was stored Hard drive of laptop contained PHI of 599 patients Hard drive of laptop contained PHI of 599 patients “Failure to conduct a thorough risk analysis” “Failure to conduct a thorough risk analysis” Lack of a “unique user name for identifying and tracking user identity with respect to the workstation” Lack of a “unique user name for identifying and tracking user identity with respect to the workstation”

Selected Civil Resolutions University of Washington Medicine - $750,000 settlement for failing to implement policies and procedures to “prevent, detect, contain, and correct security violations.” University of Washington Medicine - $750,000 settlement for failing to implement policies and procedures to “prevent, detect, contain, and correct security violations.” Consider certain key factors: Consider certain key factors: Approximately 90,000 individuals’ PHI was accessed after an employee downloaded an attachment that contained malware. Approximately 90,000 individuals’ PHI was accessed after an employee downloaded an attachment that contained malware. Affiliated covered entities must have appropriate policies and procedures in place Affiliated covered entities must have appropriate policies and procedures in place “Limited risk analysis” “Limited risk analysis”

Selected Civil Resolutions  Raleigh Orthopaedic Clinic, P.A. - $750,000 settlement for failure to have Business Associate Agreement. Consider certain key factors: Consider certain key factors: Disclosure of PHI for approximately 17,300 individuals to a potential business partner without executing a business associate agreement and lack of safeguards Disclosure of PHI for approximately 17,300 individuals to a potential business partner without executing a business associate agreement and lack of safeguards North Memorial Health Care of Minnesota - $1,550,000 settlement North Memorial Health Care of Minnesota - $1,550,000 settlement Consider certain key factors: Consider certain key factors: Involved stolen laptop from an employee of a business associate containing PHI of 9,497 individuals Involved stolen laptop from an employee of a business associate containing PHI of 9,497 individuals

Selected Civil Resolutions Affinity Health paid $1.2 million to settle HIPAA violation claims arising out of its failure to scrub copiers of PHI before returning them to the equipment lessor. Affinity Health paid $1.2 million to settle HIPAA violation claims arising out of its failure to scrub copiers of PHI before returning them to the equipment lessor. Idaho State University paid $400,000 to settle a data breach resulting from the disabling of a firewall that remained undetected for 10 months. Idaho State University paid $400,000 to settle a data breach resulting from the disabling of a firewall that remained undetected for 10 months. Parkview and Cornell Prescription Pharmacy settlements concerning paper records Parkview and Cornell Prescription Pharmacy settlements concerning paper records Hospice of Northern Idaho: $50,000 for a breach arising out of the theft of an unencrypted laptop. Hospice of Northern Idaho: $50,000 for a breach arising out of the theft of an unencrypted laptop. See:

What do we do now?!

Requirements for Covered Entities Under HIPAA Risk Analysis Risk Analysis Have Policies and Procedures (Privacy, Security and Breach Notification Rules) Have Policies and Procedures (Privacy, Security and Breach Notification Rules) Implement appropriate administrative, technical, and physical safeguards to protect the privacy and security of PHI Implement appropriate administrative, technical, and physical safeguards to protect the privacy and security of PHI Notice of Privacy Practices Notice of Privacy Practices Designate a Privacy Officer and person responsible for receiving complaints regarding HIPAA Designate a Privacy Officer and person responsible for receiving complaints regarding HIPAA Provide training to workforce Provide training to workforce Implement “Business Associate” agreements Implement “Business Associate” agreements

Requirements for Covered Entities Under HIPAA Provide process for complaints and document all complaints received and their disposition Provide process for complaints and document all complaints received and their disposition Provide appropriate sanctions against members of its workforce who violate the privacy policies and procedures or the HIPAA privacy regulations and document sanctions Provide appropriate sanctions against members of its workforce who violate the privacy policies and procedures or the HIPAA privacy regulations and document sanctions Mitigate known harmful effects regarding use or disclosure of PHI in violation of policies and procedures or HIPAA regulations by a covered entity or a business associate Mitigate known harmful effects regarding use or disclosure of PHI in violation of policies and procedures or HIPAA regulations by a covered entity or a business associate

Requirements for Covered Entities Under HIPAA Permit access to information to Sect. of DH&HS Permit access to information to Sect. of DH&HS Cooperate with complaint investigations and compliance reviews by Secretary Cooperate with complaint investigations and compliance reviews by Secretary Refrain from retaliatory acts against persons exercising their rights to file a complaint with the DHHS, assisting in an investigation regarding impermissible disclosures, or opposing any unlawful act or practice made in good faith Refrain from retaliatory acts against persons exercising their rights to file a complaint with the DHHS, assisting in an investigation regarding impermissible disclosures, or opposing any unlawful act or practice made in good faith

Consider HIPAA Security Rules Compliance

Security Standards: General Rules (1) Ensure confidentiality, integrity, and availability of all electronic protected health information (“ePHI”) created, received, maintained, or transmitted. (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. (3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required. (4) Ensure compliance with the HIPAA Security Rules by workforce. 45 C.F.R. § (a).

Flexibility of Approach May use any security measure that permits reasonable and appropriate implementation of the HIPAA Security Regulations. Consider the following: (i) Size, complexity, and capabilities. (ii) Technical infrastructure, hardware, and software security capabilities. (iii) Costs of security measures. (iv) Probability and criticality of potential risks to ePHI. 45 C.F.R. § (b)(2)

Implementation Specifications: Required or Addressable Addressable: (i) Assess whether a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting ePHI; and (ii) (A) Implement the specification if reasonable and appropriate; or (B) If implementation is not reasonable and appropriate- (1) Document why it would not be reasonable and appropriate to implement the specification; and (2) Implement an equivalent alternative measure if reasonable and appropriate. 45 C.F.R. § (d).

Administrative Safeguards Standards: 1. Security Management Process 2. Assigned Security Responsibility 3. Workforce Security 4. Information Access Management 5. Security Awareness and Training 6. Security Incident Procedures 7. Contingency Plan 8. Evaluations 9. Business Associate Agreements

Physical Safeguards Standards: 1. Facility Access Controls 2. Workstation Use 3. Workstation Security 4. Device and Media Controls

Technical Safeguards Standards: 1. Access Control 2. Audit Controls 3. Integrity 4. Person or Entity Authentication 5. Transmission Security

Useful Links U.S. Department of Health & Human Services Health Information Privacy Launch of Phase II Audit Program: enforcement/audit/index.html

Thank you!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.