HIPAA Audits are Here - Be Ready! Presenter: Diane Evans, PUBLISHER, MyHIPAA Guide Diane Evans: Phone:
Goals for Providers: 1. Create a culture of vigilance 2. Protect patient/resident information 3. Avoid fines, settlements and corrective action plans
Presentation Covers: 1. HIPAA Overview/How to Create a Culture of Compliance Step Plan to Compliance 3. What to Expect in an Audit
In the beginning : Passage of the Health Insurance Portability and Accountability Act (HIPAA) Mandates include: ● National security standards for the use of electronic healthcare information ● Privacy standards for protected health information Through the mid 2000s: Little enforcement By 2008: 33,000 complaints filed, resulting in 8,000 investigations and no fines.
A natural disaster changes everything 2005: Katrina reveals the public threat of mass loss of paper health records 2009: Passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act Result: ● The law strengthens civil and criminal enforcement of the HIPAA rules and requires audits for enforcement.
Now we’re ready to go to work. So first things first. Create authority & a clear job description for the Compliance Officer The CO’s job is to: Cultivate an environment of compliance Develop a system for compliance, recognizing it takes a community to foster integrity that results in daily vigilance
Execute a Compliance Program Charter Build a solid foundation to support the Compliance Officer: 1. Set forth principles of Professional Ethics & Integrity 2. Spread the responsibility: Compliance is everyone’s job 3. Spell out the specific tasks assigned to the Compliance Officer 4. Protect the Compliance Officer from liability/retaliation Note: A sample Compliance Program Charter will be provided on request
Now the CO can tend to the details of what to do In 2013, the US Department of Health and Human Services announced a 10 step plan for compliance as an easy reference point:US Department of Health and Human Services Step 1: Make sure you need to comply with HIPAA Step 2: Put somebody in charge: You need both a Privacy Official and a Security Official. The same person may fill both roles depending on the size of your organization.
Step 3: Document processes, findings, and actions Document everything, including risk assessments, procedures, actions, findings, staff training, and everything else covered in the 10 Step Plan. Organize your compliance documentation in central locations, so both paper and electronic records can be easily referenced. In an audit, expect the first request to be for your documentation.
Step 4: Conduct a security risk analysis This is one of the most critical steps for compliance. Protect PHI as you would protect your home. In other words, think about risks and what you can do to minimize them. Community-based agencies: Assess risks at every location where private health information is stored. ● Anticipate ways someone, or some group, might compromise files or databases containing PHI, followed by actions to reduce risks ● Plan for disasters such as floods or disruptions such as power outages
Steps 5 & 6: Develop an action plan & carry it out daily Using your risk analysis results, develop an action plan to mitigate the identified risks. Action plans should cover five broad categories: 1. Administrative safeguards: Create processes for achieving compliance 2. Physical safeguards: Protect facilities where health information is stored 3. Technical safeguards: Guard databases, computers and other devices containing PHI 4. Policies and procedures: Develop formal policies and procedures and document everything 5. Organizational practices: Practice daily habits that create a mindset of protecting individual health information
Step 7: Prevent Breaches To safeguard patient health information, staff must know how to implement policies, procedures, and security audits. HIPAA requires workforce training on policies and procedures. Staff must also receive formal training on breach notification.
Step 8: Communicate with patients First keep in mind this overarching principle: Communicating privacy obligations is more than just an exercise in form development and standard procedures. It’s about communicating a PROMISE to people to protect their rights to privacy. For an organization, it’s about transparency and ultimately INTEGRITY - to be true to the talk!
Step 8 Con’t: Patient Privacy Notices Treat your privacy notice as more than just a boilerplate document Key points to keep in mind: ~It’s not a one and done -- they need updated regularly; set a policy to review them every two years for updates ~Don’t just hand them out for a signature; create a ‘script’ for your staff so they can explain patient rights ~Create a laminated ‘card’ with highlights and call-outs as a way of educating your staff (e.g. so they know when they are obligated to share information with police officers and other authorities) ~ Make privacy notices accessible to your patients and their families or guardians; provide them in English, Spanish or any other language that your patients may speak (Google Translator can help!) ~Finally, POST THEM – make them available on your website and in common areas people in your organization see; make them BIG and COLORFUL
Step 8 Con’t: Breach Notification It’s not only the law, it’s about Promises to People Even though HIPAA laws have strict guidelines to notify people when information is compromised, make HIPAA the basement rule. Set your standard so it just doesn’t meet the MANDATORY requirement. Set your standard high and share it with the people you serve. Key points to consider as your standard: ~ While we take every step possible to protect information, if privacy is compromised for ANY reason, we promise to let you know and make it right to the best of our ability. ~ We promise to train our staff to avoid any possible breaches or exposures – and if breaches occur, we promise to take any and all appropriate actions (up to and including disciplinary action). ~ We promise to let you know your rights. If we made a mistake and you aren’t happy with our corrective actions, we will let you know how to file a claim with US Office for Civil Rights.
Step 9: Update or execute BAAs A Business Associate is a person or organization (other than an employee of a covered entity) who performs functions or provides services related to creating, receiving, maintaining, or transmitting PHI on behalf of your organization. A written contract with your Business Associate must: ● Detail the uses and disclosures of PHI the Business Associate may make ● Require that the Business Associate safeguard PHI
Step 10: Attest for the Security Risk Analysis Meaningful Use Objective Pertains only to providers in the Medicare/Medicaid Incentive Program
How to accomplish compliance with clear goals in mind ~ Create a work plan with specific tasks/deliverables assigned to appropriate individuals ~ Organize your plan around major priorities, such as policy management, risk assessment and vendor/contractor accountability ~ Set deadlines
Sample organizational structure for a work plan
Successful Leadership = A Culture of Compliance Evidenced by: ~Staff take privacy issues seriously ~Safeguards become daily routines ~Staff expect to be held accountable
Penalty Schedule Source: American Medical AssociationAmerican Medical Association HIPAA violationMinimum PenaltyMaximum Penalty Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA $100 per violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation) $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation due to reasonable cause and not due to willful neglect $1,000 per violation, with an annual maximum of $100,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation due to willful neglect but violation is corrected within the required time period $10,000 per violation, with an annual maximum of $250,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation is due to willful neglect and is not corrected $50,000 per violation, with an annual maximum of $1.5 million
Disclaimer: The content of this presentations is informational only and does not constitute legal advice. Health care providers need to assess their own legal obligations.