Presentation is loading. Please wait.

Presentation is loading. Please wait.

Achieving Continuous HIPAA Compliance Tips & Tricks Gary Swindon RiskWatch, Inc.

Published byEarl McKenzie Modified over 8 years ago

Similar presentations

Presentation on theme: "Achieving Continuous HIPAA Compliance Tips & Tricks Gary Swindon RiskWatch, Inc."— Presentation transcript:

1 Achieving Continuous HIPAA Compliance Tips & Tricks Gary Swindon RiskWatch, Inc.

2 Achieving Compliance  Compliance Rules & Characteristics  The Keys to Achieving Compliance Goals  The Other Interested Groups  Steps to Creating a Common Focus-for Superior Results  Sleeping Well at Night-or: ‘Do You Know Where Your Data Is?’  Compliance as a Way of Life

3 Compliance Rules & Characteristics  Rule #1: If you believe that you can achieve compliance once-for all time; you are doomed and YOU WILL FAIL! Decide to change your mindset now and the mindset of those around you Decide to change your mindset now and the mindset of those around you Be willing to look beyond HIPAA compliance and those who have been ‘blessed’ with Privacy & Security duties as a result Be willing to look beyond HIPAA compliance and those who have been ‘blessed’ with Privacy & Security duties as a result

4 Get to Know the ‘Rules’ RegulationHIPAASOXGLBA Regular Risk Assessment Explicitly Required Implicitly Required (Section 404) Explicitly Required QuantitativeVsQualitativeQuantitativeImpliedQuantitativeImpliedQuantitativeImplied Regular Audit Required Yes Non- financial Compliance*YesYes

5 HIPAA Security Rule Governing Principles SafeguardsStandards Cost Capability Resources Suitability Risk Management Regular Evaluations Administrative Technical Physical Addressable Required Documentation

6 HIPAA Privacy Rule Governing Principles ExceptionsStandards -Protection -Notice -Consent -Patient Best Interest -Protection -Notice -Consent -Patient Best Interest -Treatment -Payment -Operations -Legal -Treatment -Payment -Operations -Legal -Need to Know -Minimum Necessary -Need to Know -Minimum Necessary

7 HIPAA Transactions & Code Sets Rule Governing Principles TransactionsStandards -Standard Data Formats -No Vendor Unique Items -Standard Data Formats -No Vendor Unique Items -270/271 Elig. -276/277 Status -278 Review -820 Payroll -834 Enrollmnt. -835 Advice -837 Claim -270/271 Elig. -276/277 Status -278 Review -820 Payroll -834 Enrollmnt. -835 Advice -837 Claim -ICD-9-M -NDC -CPT-4 -ADA -ICD-9-M -NDC -CPT-4 -ADA

8 Compliance Rules & Characteristics-Continued  Rule #2: Continuous compliance is a process not a destination. Starting and stopping a program only breeds confusion w/o lasting beneficial results Starting and stopping a program only breeds confusion w/o lasting beneficial results Remember that processes also require measurement; like all good stories they have a beginning, a middle and an end for clearly defined goals Remember that processes also require measurement; like all good stories they have a beginning, a middle and an end for clearly defined goals

9 ‘The’ Compliance Process Risk AssessmentAuditGovernance Assets Threats Vulnerabilities Losses Controls (Safeguards) Testing Measurement Scorekeeping Replicate Sustain Maintain (Business Process)

10 Building Controls-The Process Control Technique Testing Protocol Reference General Requirement Master Conditions Related Controls Risk Assessment & Audit Plan Risk Assessment & Audit Plan

11 Compliance Rules & Characteristics-Continued  Rule #3: If you believe that you can do it by yourself you need clinical help. It truly does not matter how effective you are in your job-you are one person It truly does not matter how effective you are in your job-you are one person You can be a beacon, a guide, and a focal point but; others will determine your success You can be a beacon, a guide, and a focal point but; others will determine your success

12 Compliance Rules & Characteristics-Continued  Rule #4: Checklists are not compliance. The most critical aspect of continuous compliance is risk assessment; without it you are flying blind (paragraph 164.308 requires both risk assessment and risk management) The most critical aspect of continuous compliance is risk assessment; without it you are flying blind (paragraph 164.308 requires both risk assessment and risk management) You need a stable base from which to measure your success You need a stable base from which to measure your success

13 The Keys to Achieving Compliance Goals  As the song says: ‘Get a plan Stan’ Document your goals and expected outcomes Document your goals and expected outcomes Pay attention to the baseline HIPAA rules: but don’t neglect other laws etc. Pay attention to the baseline HIPAA rules: but don’t neglect other laws etc. Identify those who will gain and lose from the effort Identify those who will gain and lose from the effort Get senior management buy in Get senior management buy in Document the financial and organizational impacts from your efforts Document the financial and organizational impacts from your efforts

14 The Keys to Achieving Compliance Goals-Continued  Perform a good risk assessment: Ideally, it should be quantitative not qualitative Ideally, it should be quantitative not qualitative The results should provide things you need: The results should provide things you need: Identify weaknesses, threats, & exposuresIdentify weaknesses, threats, & exposures Identify mitigation effortsIdentify mitigation efforts Identify potential costs of mitigationIdentify potential costs of mitigation Identify the level of risk that the organization is willing to acceptIdentify the level of risk that the organization is willing to accept  Provide a stable ‘baseline’ from which to measure the impact of your efforts

15 Applications Databases Patient Info Medical Records Hardware System Software Delays & Denials Fines Disclosure Modification Direct Loss Disclosure Hackers Fraud Viruses Network Attack Loss of Data Embezzlement Acceptable Use Disaster Recovery Authentication Network Controls No Security Plan Accountability Privacy Access Control AssetVulnerabilityThreatLoss The ‘Links’ Incident Class Incident Conditioned Incident Risk = Asset  Loss  Threat  Vulnerability Degree of Seriousness

16 The Keys to Achieving Compliance Goals-Continued  Tie the desired outcomes to the efforts of others-where should help come from?  Get resources committed to the process: Management Support Management Support People People Money Money  Provide feedback and measurement

17 The Other Interested Groups  Remember that there are others with a goal set similar to yours-and they can help: Internal Audit Internal Audit Information Security Information Security Privacy Group Privacy Group Patient Care Advocates/Patient Care Coordinators Patient Care Advocates/Patient Care Coordinators Human Resources Human Resources Health Information Management Health Information Management EDI Support Group/Activity EDI Support Group/Activity

18 Steps to Creating a Common Focus-for Superior Results  Committees can help do the work Standing Committees: Privacy, Security & Policy Standing Committees: Privacy, Security & Policy Involve senior directors/managers-NOT VPs Involve senior directors/managers-NOT VPs Don’t forget the clinical side Don’t forget the clinical side  Useful education focused on the common goals Training, Education, Awareness; who gets what & when; home vs work PCs etc. Training, Education, Awareness; who gets what & when; home vs work PCs etc. Remember HIPAA says everyone gets educated; there are no exceptions Remember HIPAA says everyone gets educated; there are no exceptions

19 Joining and Combining Focus-for Superior Results-Continued  Establish a HIPAA Privacy & Security Liaison Program: Management level people Management level people All areas of operations including food service All areas of operations including food service Assigned as an additional duty Assigned as an additional duty Conducts quick checks on departments Conducts quick checks on departments No set schedule but set goals for the number of assessments No set schedule but set goals for the number of assessments Collect the results and report them Collect the results and report them

20 Joining and Combining Focus-for Superior Results-Continued  Participate in awareness events or become the catalyst for them: AHIMA and others have a National Week declared for healthcare related activities AHIMA and others have a National Week declared for healthcare related activities Combine observances such as Compliance Week etc. into a once a year activity Combine observances such as Compliance Week etc. into a once a year activity Set up a booth or table near cafeterias; give away prizes for completing compliance puzzles Set up a booth or table near cafeterias; give away prizes for completing compliance puzzles Give away candy or key chains etc. ask questions at random on HIPAA issues Give away candy or key chains etc. ask questions at random on HIPAA issues

21 Joining and Combining Focus-for Superior Results-Continued  Start a voluntary HIPAA assessment/evaluation program: No blame activities; blame kills participation No blame activities; blame kills participation Business units can request the Privacy & Information Security Officer do a walk through Business units can request the Privacy & Information Security Officer do a walk through Educational support for on the spot corrections Educational support for on the spot corrections Include ‘Dumpster Diving’ activities (sometimes called the latex glove approach) Include ‘Dumpster Diving’ activities (sometimes called the latex glove approach)

22 Joining and Combining Focus-for Superior Results-Continued  Tie the compliance program to the internal audit program: The common basis for both should be the risk assessment process The common basis for both should be the risk assessment process Formalizes critical compliance monitoring as one more set of ‘eyes & ears’ Formalizes critical compliance monitoring as one more set of ‘eyes & ears’  Create & publish a Compliance Bulletin: Privacy, Security, Compliance & Internal Audit news and tips: make it a resource for everyone Privacy, Security, Compliance & Internal Audit news and tips: make it a resource for everyone

23 Sleeping Well at Night-or: ‘Do You Know Where Your Data Is?’  Acknowledge that most of your information is on or stored in a computer: Technical evaluation of the IS/IT risk is also necessary Technical evaluation of the IS/IT risk is also necessary Tie the technical security manager to the Corporate Information Security Officer at least on a dotted line Tie the technical security manager to the Corporate Information Security Officer at least on a dotted line Require regular monitoring and reporting on the technical risks to your information Require regular monitoring and reporting on the technical risks to your information

24 Sleeping Well at Night-or: ‘Do You Know Where Your Data Is?’  Organize for success: (if possible) Move Privacy, Security, Compliance & Internal Audit into the same organization Move Privacy, Security, Compliance & Internal Audit into the same organization Have the organization report to the audit/or management committees of your board Have the organization report to the audit/or management committees of your board Require quarterly reporting on all compliance activity to the full board Require quarterly reporting on all compliance activity to the full board Give the organization its own legal counsel independent of any corporate legal group Give the organization its own legal counsel independent of any corporate legal group

25 Compliance as a Way of Life  Remember: Your organization’s size does not matter when it comes to compliance Your organization’s size does not matter when it comes to compliance You can have a continuous compliance program but you have to work at it You can have a continuous compliance program but you have to work at it You cannot have an effective program without good risk assessments You cannot have an effective program without good risk assessments You have to be willing to try new ideas and you have to support them You have to be willing to try new ideas and you have to support them

26 Questions? gswindon@riskwatch.com 410-224-4773 x-121

Download ppt "Achieving Continuous HIPAA Compliance Tips & Tricks Gary Swindon RiskWatch, Inc."

Similar presentations

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.

Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna 412-396-4419.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
Presented by the Office of the General Counsel An Overview of HIPAA.

Presented by the Office of the General Counsel An Overview of HIPAA.
Are you ready for HIPPO??? Welcome to HIPAA

Are you ready for HIPPO??? Welcome to HIPAA
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
Health information security & compliance

Health information security & compliance
Core principles in the ASX CGC document. Which one do you think is the most important and least important? Presented by Casey Chan Ethics Governance &

Core principles in the ASX CGC document. Which one do you think is the most important and least important? Presented by Casey Chan Ethics Governance &
ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.

ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions.

What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions.

Similar presentations

Ads by Google