What to Expect and How to Prepare: Healthcare Security & Privacy Regulation and Enforcement in 2015 and Beyond

2014  Data breaches  Settlements & Resolution Agreements  Approximately $5.5 million collected  Greatest number of HIPAA settlements  HIPAA Audits  Leadership changes  Complaints, compliance reviews & investigations

“OCR’s strong enforcement of the HIPAA privacy, security, and breach notification rules, remains very much on track.”

2015  HIPAA Audits  Enforcement  Complaints, compliance reviews & investigations

HIPAA Audits  Policies & procedures – daily activities  Staff knowledge & training  Cybersecurity – Risk assessments, breach notification & access controls  Privacy notice practices  Audit protocol  cement/audit/protocol.html cement/audit/protocol.html

Enforcement  6,000+ open investigations  Increased focus on negotiating settlements  Various methods for enforcement

Complaints & Investigations  Complaints volume increases each year  Record number expected for 2015  Inconsistency between regional offices  Request policies & procedures (mini audits)  Culture of compliance

How to Prepare 1. Cybersecurity 2. Business Associate Agreements

Cybersecurity  Gap analysis  Staff training  Inventory of systems & devices  Regular review of policies & procedures

Business Associate Agreements  HITECH Act  Increased negotiation surrounding BAAs  Indemnity  Which entity is responsible for breach notification & responding to patient requests  Subcontractor BAAs  Termination rights for material breach

Takeaways  Audit first  Review and negotiate BAAs  Dust off Policies & Procedures  Addressable Elements  Compliance Culture

Questions ?

Carrie S. Gilbert Dressman Benzinger LaVelle psc