Presentation is loading. Please wait.

Presentation is loading. Please wait.

Rational HIPAA Woes for the CFO and Business Leaders

Published byEric Dennis Modified over 6 years ago

Similar presentations

Presentation on theme: "Rational HIPAA Woes for the CFO and Business Leaders"— Presentation transcript:

1 Rational HIPAA Woes for the CFO and Business Leaders
Kirsten Ruzic Wild Wild Consulting, Inc. May 2017

2 What is the real risk? Cost of Regulatory (OCR) Investigation
Internal Resources, $$$$ Cost of a Breach Regulatory Fines and Penalties Negative Community Perception

3

4 Risk Mitigation

5 What gets you Investigated by OCR?
1. Patient-complaint driven process 2. Breach Compliance Reviews 3. Reports by other individuals 4. Audits and Reviews .

6

7

8 Complaint Investigations
YEAR INVESTIGATED: NO VIOLATION RESOLVED AFTER INTAKE AND REVIEW INVESTIGATED: CORRECTIVE ACTION OBTAINED TECHNICAL ASSISTANCE TOTAL RESOLUTIONS 2013 994 7% 7,068 49% 3470 24% 2754 19% 14,286 2014 668 4% 10,653 60% 1288 5128 29% 17,737 2015 359 2% 12,785 72% 730 3820 22% 17,694

9 Complaint Investigations
YEAR INVESTIGATED: NO VIOLATION RESOLVED AFTER INTAKE AND REVIEW INVESTIGATED: CORRECTIVE ACTION OBTAINED TOTAL RESOLUTIONS 2010 1529 17% 4951 54% 2709 29% 9189 2011 1302 16% 4465 53% 2595 31% 8362 2012 980 10% 5060 3361 36% 9401

10

11 Enforcement Results By State
INVESTIGATED: NO VIOLATION RESOLVED AFTER INTAKE AND REVIEW INVESTIGATED: CORRECTIVE ACTION Wisconsin 10% 71% 18% Michigan 9% 73% 18%

12 Top Five Issues in Investigated
Year Issue 1 Issue 2 Issue 3 Issue 4 Issue 5 2015 Impermissible Uses & Disclosures Safeguards Administrative Safeguards Access Technical Safeguards 2014 2013 Minimum Necessary 2012 2011 Notice to Individuals

13 What do you do to mitigate this risk?
Patient Complaints are not your greatest risk. You know about most patient complaints. Understand your process for managing complaints – patient safety/quality reporting by employees, grievances and complaints from patients, hotline, etc. Ask for a report from your Safety Reporting System Should be able to mitigate this risk. Never give the government a reason to walk through the door.

14 Resolution Agreements
Impermissible uses and disclosures Your own staff Robust education, scenarios, dialogue Sign a Confidentiality Statement to protect organization Employees should ask Safeguards – protect ePHI

15 Resolution Agreements
Administrative Safeguards – Risk Assessment, employee access rights, training, p&p, etc Access – Patient access to their own medical record Minimum Necessary – Robust education, scenarios, dialogue

16 2. Breach Reports and Reviews
Self-reporting – you know about these too Wall of Shame Largest number of records: 7,880,000 to 63,000 Since October breach reports of 500 or more individuals 2016 = 328 2015 = 269 2014 = 312

17 2. Breach Reports and Reviews
In breach reports of 500 or more individuals: 2013 ~257 resulted in an investigation 152 breach investigations were closed 80% (121) required corrective action 2014 ~ 285 resulted in an investigation 239 breach investigations were closed 90% (216) required corrective action

18 Sorted top 100 reports for largest number of individuals affected
Location of Data Breached 12 – desktop 6 – EMR 7 – 12 – laptop 36 – server 8 – paper/film 20 – other Type of Breach 34 – hacking 3 – improper disposal 5 – loss 45 – theft of portable device 26 – unauthorized access/disclosure 5 – other

19 Sorted bottom 100 reports for smallest number of individuals affected
Type of Breach 11 – hacking 4 – improper disposal 9 – loss 35 – theft of portable device 15 – unauthorized access/disclosure 7 – other Location of Data Breached 15 – desktop 7 – EMR 6 – 22 – laptop 10 – server 30 – paper/film 10 – other

20 Type of Entity Reporting Breach
Largest Breaches 25 – Business Associates 21 - Health Plan 54 – Provider *largest number of providers are: private practices, general hospitals, outpatient facilities, and pharmacies Smallest Breaches over – Business Associates 11 – Health Plan 74 – Provider *ePHI that is lost that is encrypted is not a breach!

21 What do you do to mitigate your risk of a Breach Review?
Should be receiving an Annual Breach Report Due by March 1st of each year – 500 or more individuals Easier not to report Breach Analysis process Ask questions Be sure the risks are identified and mitigated: Conduct a risk analysis This should be an investigation Policy and procedure reviewed Re-educate employees Take necessary disciplinary action Timely

22 3. Reports by other individuals
Non- patient reports Not really a complaint Usually know about these too

23 4. Audits and Reviews HITECH/ARRA of 2009 required audits and
provided funding Prospectively assess for compliance Ensure Patient Rights are respected CE and BA

24 4. Audits and Reviews Phase 1 - pilot audit established an audit protocol (115 CE) evaluated Pilot program revised program and readied for Phase 2 2016 (July) – Phase 2 Desk Audits launched (166 CE and 43 BA) enhanced protocols test the efficacy of desk audits in evaluating the compliance efforts compliance improvement activity

25 4. Audits and Reviews Phishing Email Disguised as Official
OCR Audit Communication -  November 28, 2016 Pre-audit Questionnaire – must identify BAs! May initiate a compliance review No results until at least September 2017 Then on-site audits of CE and BA

26 4. Audits and Reviews Samples Requested and Inquiries of Management
Privacy Rule Security Rule Breach Notification Will be On-site Audits of both CE and BA after completion of desk audits

27 4. Audits and Reviews Privacy Audits Documentation Requested
48 areas of inquiry P&P and Examples/samples Personal representatives, use and disclosure for public health, decedents, minimum necessary, notice of privacy practices, amendment requests, sanctions, right to access, etc.

28 4. Audits and Reviews Privacy Audits Inquiry of Management
18 inquiries INQUIRE OF MANAGEMENT how the entity recognizes personal representatives for an individual for compliance with HIPAA Rule requirements

29 4. Audits and Reviews Business Associate Contracts
Obtain and review a sample of BAA and evaluate whether the agreements are consistent with established performance criteria the entity has established and the P&P. Inquire of Management as to whether any business associate arrangements involved onward transfers of PHI to additional business associates and subcontractors Provide a sample

30 4. Audits and Reviews Breach Notification
Samples Requested and Inquiries of Management 12 areas of inquiry complaints to CE, sanctions of workforce members, risk assessments resulting in low probability of compromise, PHI was not secured, breach notification sent to individuals, breach over 500, etc.

31 4. Audits and Reviews Breach Notification
Obtain a list of risk assessments in which the CE determined that was a low probability of compromise – so not reported on the Wall of Shame. Sampling methodology Inquiry of Management – Administrative requirements, timeliness of notifications, content of notification, method of notification etc.

32 4. Audits and Reviews HIPAA Security
Obtain Security documentation to demonstrate 100 areas of inquiry Latest written Risk Analysis - 2 most recent, sanctions, access requests, termination of access, security awareness and training – malicious software, passwords, disaster recovery, contingency plans, etc.

33 Address the Rational Woes
Ensure your organization has a good patient complaint and resolution process Summary report of open and closed cases, and timeframes Understand the process Scenario-based Education Internalized dialogue

34 Mitigate the Rational Woes
Get a Breach Report At least annually Understand your Breach Reporting Process All Portable devises MUST be encrypted. Period BYOD or organization-owned

35 Mitigate the Rational Woes
Support Business Associate Agreement (BAA) function Contract Management! If no one is responsible, no one is responsible. Be sure you have the BAAs you should Be sure you know what they say Hold BA accountable – audit them?

36 Mitigate the Rational Woes
Support resources for HIPAA Security Document, document, document IT – deep, unnatural aversion to documentation Trust but verify

37 Mitigate the Rational Woes
Risk assessment, Risk Assessment, Risk Assessment, Risk Assessment Continual process, never done Need to catch vulnerabilities and threats Regular working meetings Document discussions and decisions in meeting minutes

38 Mitigate the Rational Woes
Cyber Insurance Manage the investigation and forensics Organizational Culture Blame? Lip service Collaboration between PO and SO Premiere Organization - Premiere Compliance Proper oversight

39 Use shouldn’t be sleeping
Physician office with MDs using their personal portable devices for work

40 Kirsten Wild, RN, BSN, MBA, CHC Wild Consulting, Inc
Kirsten Wild, RN, BSN, MBA, CHC Wild Consulting, Inc. Cedarburg, WI

Download ppt "Rational HIPAA Woes for the CFO and Business Leaders"

Similar presentations

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.
THE DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) OFFICE FOR CIVIL RIGHTS (OCR) ENFORCES THE HIPAA PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES HIPAA.

THE DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) OFFICE FOR CIVIL RIGHTS (OCR) ENFORCES THE HIPAA PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES HIPAA.
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
HIPAA What’s New? 2010. What Is HIPAA Health Insurance Portability and Accountability Act of 1996 Health Insurance Portability and Accountability Act.

HIPAA What’s New? What Is HIPAA Health Insurance Portability and Accountability Act of 1996 Health Insurance Portability and Accountability Act.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna 412-396-4419.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.

Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
HIPAA Security Regulations Jean C. Hemphill Ballard Spahr Andrews & Ingersoll, LLP November 30, 2004.

HIPAA Security Regulations Jean C. Hemphill Ballard Spahr Andrews & Ingersoll, LLP November 30, 2004.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.

2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.

Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.
Health information security & compliance

Health information security & compliance
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 1 HIPAA Learning Module The following is an educational Powerpoint presentation on the.

Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.

Similar presentations

Ads by Google