Auditing and Monitoring for HIPAA Compliance

Slides:



Advertisements
Similar presentations
Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.
Advertisements

Independent Contractor Orientation HIPAA What Is HIPAA? Health Insurance Portability and Accountability Act of 1996 The Health Insurance Portability.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA Privacy Rule Training
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
Presented by the Office of the General Counsel An Overview of HIPAA.
NAU HIPAA Awareness Training
ITEC 6324 Health Insurance Portability and Accountability (HIPAA) Act of 1996 Instructor: Dr. E. Crowley Name: Victor Wong Date: 2 Sept
© 2009 The McGraw-Hill Companies, Inc. All rights reserved 3-1 LEGAL AND ETHICAL ISSUES in Medical Practice, Including HIPAA PowerPoint® presentation.
Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Are you ready for HIPPO??? Welcome to HIPAA
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
August 10, 2001 NESNIP PRIVACY WORKGROUP HIPAA’s Minimum Necessary Standard Presented by: Mildred L. Johnson, J.D.
Information Security Policies and Standards
Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
HIPAA – Health Insurance Portability & Accountability Act and the Privacy Act MSgt Nechele M. Chambers Senior Enlisted Liaison TRICARE Area Office-Europe.
© 2009 The McGraw-Hill Companies, Inc. All rights reserved. 1 McGraw-Hill Chapter 5 HIPAA Enforcement HIPAA for Allied Health Careers.
HIPAA PRIVACY AND SECURITY AWARENESS.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
CORPORATE COMPLIANCE Tim Timmons Vice President Compliance and Regulatory Services Health Future, LLC.
Integrating HIPAA Into Your Compliance Program Fifth Annual National Congress on Health Care Compliance February 7, 2002 Glenna S. Jackson Vice President.
1 HIPAA Health Insurance Portability and Accountability Act Budgeting Effectively for Good Faith Compliance.
Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.
Medical Law and Ethics, Third Edition Bonnie F. Fremgen Copyright ©2009 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.
Health Insurance Portability and Accountability Act of 1996 HIPAA Privacy Training for County Employees.
© 2013 The McGraw-Hill Companies, Inc. All rights reserved. Ch 8 Privacy Law and HIPAA.
Chapter 7—Privacy Law and HIPAA
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
Connecting the Dots A Practical Approach to Integrating Compliance, Risk and Quality Jody Ann Noon RN, JD Partner Health Care Regulatory Practice.
HIPAA THE PRIVACY RULE. 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti- depressant medications.
Copyright ©2014 by Saunders, an imprint of Elsevier Inc. All rights reserved 1 Chapter 02 Compliance, Privacy, Fraud, and Abuse in Insurance Billing Insurance.
1 Privacy Plan of Action © HIPAA Pros 2002 All rights reserved.
HIPAA Overview Why do we need a federal rule on privacy? Privacy is a fundamental right Privacy can be defined as the ability of the individual to determine.
HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.
Functioning as a Business Associate Under HIPAA William F. Tulloch Director, PCBA March 9, 2004.
Compliance at the Crossroads: How can the Compliance Profession Move to the Second Generation? A Practical Approach to Integrating Compliance, Risk and.
 Health Insurance and Accountability Act Cornelius Villalon Jr.
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill/Irwin Chapter 6 The Privacy and Security of Electronic Health Information.
1 HIPAA’s Impact on Depository Financial Institutions 2 nd National Medical Banking Institute Rick Morrison, CEO Remettra, Inc.
HIPAA Privacy Rule Training
iSecurity Compliance with HIPAA
Health Insurance Portability and Accountability Act HIPAA 101
What is HIPAA? HIPAA stands for “Health Insurance Portability & Accountability Act” It was an Act of Congress passed into law in HEALTH INSURANCE.
HIPAA CONFIDENTIALITY
HIPAA Administrative Simplification
Health Insurance Portability and Accountability Act
HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT
Disability Services Agencies Briefing On HIPAA
Health Insurance Portability and Accountability Act
County HIPAA Review All Rights Reserved 2002.
Health Care: Privacy in a Digital Age
Risk Management: why and how to protect your health center
HIPAA Privacy and Security Summit 2018 HIPAA Privacy Rule: Compliance Plans, Training, Internal Audits and Patient Rights Widener University Delaware.
HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.
HIPAA Policy & Procedure Strategies
Presentation transcript:

Auditing and Monitoring for HIPAA Compliance Laurie Radler, RN Tina Sernick, RN JD February 8, 2002

The Elements of Corporate Compliance Program There are seven key elements of an effective healthcare provider corporate compliance program, as recommended by the OIG. Written Policies & Procedures Designation of a Compliance Officer and Compliance Committee Training and Education Effective Lines of Communication Disciplinary Guidelines Auditing and Monitoring Responding to Detected Offenses and Developing Corrective Action Initiatives DHHS adhered to these principles when developing the regulatory scheme for HIPAA compliance………

The HIPAA Compliance Program The Health Insurance Portability & Accountability Act of 1996 (HIPAA)- Privacy Regulations incorporates the seven key elements of an effective healthcare provider corporate compliance program.

Health Insurance Portability & Accountability Act of 1996 HIPAA Title I Healthcare Portability Title II Administrative Simplification Titles III, IV, V Transaction Standards Standard Code Sets Unique Health Identifiers Security Standards Electronic Signature Standards Information Between Health Plans Privacy Establish standards and requirements for the transmission of certain health information Reduce health care fraud and abuse Guarantee security of health information Require privacy legislation surrounding the use of individually identifiable health information

Health Insurance Portability & Accountability Act of 1996 Examples of Covered Entities Health Care Provider Hospitals Physicians Pharmacies Multi-Plan Organization Corporate Parent Separate Health Plans Various State regulations Multi-Line Insurance Company Health, Life, Disability, etc. Shared Job Functions Underwriting for both health and other policies Claims adjudication HMO Products Combine treatment & payment Privacy Variations in Uniform Standards Business Unit Processes Regulations

Health Insurance Portability & Accountability Act of 1996 HIPAA Regulations current timeframes: Its is never to early to start your prep for HIPAA ! REGULATION PROPOSED FINAL COMPLIANCE Transactions & Code Sets * May 1998 August 17, 2000 October 16, 2002 Unique Identifiers Plan Provider Employer Individual April 2000 April 2001 May 1998 Q2 2001 June 1998 Q2 2001 On hold On hold N/A Security August 1998 Unknown Electronic Signatures August 1998 Unknown Privacy November 1999 February 14, 2001 April 14, 2003 * Covered Entities may apply for an extension, but must meet specific requirements

Auditing & Monitoring for HIPAA Compliance

Auditing & Monitoring – Role of Internal Auditor Integrating HIPAA requirements into the Internal Audit Process Mission & Objectives Risk Assessment Audit Plan Audit Testing Reports & Feedback Safeguarding Health Information Key Subject Matter Experts Compliance Oversight-Privacy Official, Enterprise wide Information Security Structure Identify key high risk areas relating to use and disclosure of PHI Compliance Issues Management Style Compliance Structure Due Diligence of Compliance with Third Party Agreements Risk/Control Management Focus Compliance priorities Self Analysis Best Practices/ Benchmarks Controls/Substantive Testing Detail/Summary Reports Recommendations Performance Assessment Special Audits 11

Auditing & Monitoring – Role of Internal Auditor Internal Audit’s awareness of HIPAA Compliance Mission and Objectives: Safeguarding Protected Health Information (“PHI”) Identifying risk of improper use and disclosure Discussions with Key Subject Matter Experts (“SMEs”) Review of HIPAA policies and procedures Develop foundation for understanding of HIPAA compliance opportunities and risks

Auditing & Monitoring – Role of Internal Auditor HIPAA Compliance Risk Assessment Used to identify, measure and prioritize compliance risks to help internal auditor evaluate and test critical internal controls Requires key SMEs in such departments as Compliance, Human Resources, Claims, Billing, Marketing, Research and other areas that use and disclose PHI Provides a dynamic corporate audit plan that identifies proposed audit coverage and “knowledge” resource requirements pertaining to security and privacy requirements Internal Auditor recognized as value added business advisor

Auditing & Monitoring – Role of Internal Auditor HIPAA Compliance Risk Assessment (cont.) Evaluate privacy office structure and HIPAA implementation plans to address administrative functions, use and disclosure of PHI, individual rights afforded, and business associate requirements An understanding of relationships with third parties such as Business Associates Due diligence in response to Business Associates, Chain of Trust and Trading Partners violation of their third party agreements Identification of control weaknesses that may cause violations of security and privacy requirements

Development of Corporate Audit Plan Auditing & Monitoring – Role of Internal Auditor Development of Corporate Audit Plan high I II III Greater Need for Audit Procedures Risk IV low high Control 13

Auditing & Monitoring – Role of Internal Auditor HIPAA Compliance Audit Testing - Audits should focus on areas of vulnerability identified in the initial assessment - Determine the effectiveness of an institution’s HIPAA policies & procedures Work with the HIPAA Privacy Official, Security & TCI SMEs in evaluating and testing the effectiveness of the HIPAA implementation plan policies, procedures and business processes Benchmark by selecting high risk departments and reviewing their policies and procedures to determine if there is a gap between those policies and procedures and HIPAA requirements

Auditing & Monitoring – Role of Internal Auditor HIPAA Compliance Audit Testing (cont.) Create ongoing assessment checklists which allow your organization to constantly monitor exposure through use of: HIPAA Implementation Work Plans and DHHS Compliance Guidance Reports Statutes and Regulations distribution Journals and Newsletters distribution Implement corporate-wide ongoing self-evaluation process to monitor and validate the effectiveness of the program HIPAA Compliance Department to provide each department with self-monitoring tools to measure against the HIPAA requirements HIPAA Compliance Department can facilitate enforcement of departments’ self-evaluation processes

Auditing & Monitoring – Role of Internal Auditor Reports and Feedback - Recommend corrective measures, including the development of revised policies and procedures, to meet HIPAA requirements - Significant findings and action taken should be documented and communicated to the Audit Committee, Privacy Office and Committee and Board of Trustees Performance assessment of trends identified as control weaknesses and compliance violations Re-audit as necessary based upon initial findings and associated risk Conduct Special Audits, as needed, i.e. follow up after notification of violation of BA agreement not to disclose PHI

Auditing & Monitoring – HIPAA Compliance Areas It is recommended the following areas be evaluated during an internal HIPAA audit: Accounting Actuarial Administration Agents/Brokers Audit Billing Business Office Claims Compliance Contracts Corporate Office Customer Service Enrollment Facility Management Human Resources Information Technology Legal Marketing/Sales Medical Staff Purchasing Records Sales Underwriting

Auditing & Monitoring - TCI Monitoring Activities During HIPAA Implementation: Measure implementation progress against detailed HIPAA readiness workplans: - Check implementation progress against established deadlines. - Review electronic testing plans and results of tests. - Run code scans to determine whether prohibited codes have been eliminated.

Auditing & Monitoring - TCI Ongoing Monitoring Activities: - Determine if there are edit mechanisms in place to flag noncompliant transactions. Test system edits. - Perform ongoing testing of transactions to confirm that the HIPAA transaction requirements (e.g., new transactions, addenda to existing transactions) are implemented. Perform coding reviews on a periodic basis. Compare an electronic file of HIPAA compliant codes to an electronic file of codes used and test for discrepancies. Alternatively, review log books for new code requests. Review the budget to determine if it needs to be updated for additional remediation.

Auditing & Monitoring - Security Administrative Procedures - Evaluate documented administrative procedures pertaining to the selection and execution of security measures that protect data and manage the conduct of personnel in relation to the protection of data. Physical Safeguards - Evaluate the physical computer systems and related buildings and equipment for protection from fire and other natural environmental hazards, including intrusion. Technical security services - Evaluate the processes in place that protect information and control individual access to information. Technical security mechanisms - Evaluate the processes in place that guard against unauthorized access to data that is transmitted over a communications network. Electronic signatures - Evaluate if there are electronic signatures, and if in place, determine if they are used on electronic documents to bind it to a particular entity.

Auditing & Monitoring - Privacy Administrative: Determine if a Privacy Official has been appointed. Determine that employees have been trained on the organization’s privacy policies and general HIPAA requirements. Review procedures relating to disclosing or transmitting member information. Determine if there is a process to monitor HIPAA compliance. Determine if there is a process in place to address individual complaints about privacy violations. Determine if there is a process in place for the organization to take corrective action for violations. Determine if there is a policy in place to address employee discipline and a process to accomplish this for privacy violations.

Auditing & Monitoring - Privacy Use and Disclosure of PHI: Evaluate if there are procedures or processes in place to check that if an individual has given the organization written permission to make a disclosure, if necessary. Determine if a process is in place to identify appropriate uses of PHI. Determine if a process is in place that identifies routine and non-routine disclosures of PHI. Determine if a minimum necessary policy is in place for the organization to respond to requests for and disclosures of PHI. Determine if a verification process is in place. Determine if any policies and procedures exist with respect to the organization’s group health plan and if so, whether there are any processes in place that restrict the disclosure of employee health information and address the plan document.

Auditing & Monitoring - Privacy Use and Disclosure of PHI (cont.): Determine if the organization has a system to track disclosures as required. Determine if a policy exists to determine if authorizations are valid. Determine if a policy or process is in place to require minimum necessary use and disclosure, noting exceptions (e.g., physician requests, individual requests). Determine if there is a process in place to designate the record set for an individual. Determine if departments have a policy that addresses deleting all PHI from member information before disclosing the information outside the company. Determine if there is a process in place to obtain patient authorization for marketing and fundraising activities.

Auditing & Monitoring - Privacy Individual Rights: Determine if there is a process in place that requires the organization to permit individuals the right to access, copy and amend their protected health information. Determine if there is a process in place that requires the organization to respond to requests for restrictions on disclosure. Determine if there is a policy in place that addresses accounting for individual PHI disclosure. Determine if there is a policy in place to address individuals’ requests not to be in a facility directory.

Auditing & Monitoring - Privacy Business Associates: Determine if there is a process in place to address Business Associate Agreements. Determine if there is a process in place to identify and maintain current lists of Business Associates. Determine if there is a policy in place to address non-compliance with Business Associate Agreements.

Questions and Answers Laurie Radler, RN Tina H. Sernick, RN JD Principal Deloitte & Touche, LLP 516 918-7853 Tina H. Sernick, RN JD Manager Deloitte & Touche, LLP 212 492-4870 Questions and Answers

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.