disclaimer this webinar may be recorded. this …...current with updated hipaa audit protocol...
TRANSCRIPT
DisclaimerThis webinar may be recorded. This webinar presents a sampling of best practices and overviews, generalities, and some laws. This should not be used as legal advice. Itentive recognizes that there is not a “one size fits
all” solution for the ideas expressed in this webinar; we invite you to follow up directly with us for more personalized information as it pertains
to your specific practice and issues.
Thank you, and enjoy the webinar.
About Us
Our passion is to provide solutions for our healthcare provider partners which help them improve patient care, enhance the patient experience and maintain a financially healthy practice.
Since 2003 we have specialized in NextGen®
Healthcare services including:
• Consulting
• Hosting
• Customization
• And productivity tools such as ChartGuard® and RefundManager®
Upcoming Webinars
The Future of Healthcare Delivery: Telemedicine
• Wednesday, September 21, 2016
Also, keep your eyes peeled for any other webinar invites dependent on future regulatory changes
How to Survive a HIPAA Audit
With HIPAA One and Itentive
Presenters
Steven Marco
President and Founder
Bobby Seegmiller
VP of Business Development
Christ Floros
Managing Consultant, Security & Compliance
Today’s Agenda
HIPAA Basics and Benefits
Risk Analysis Documentation
Risk Management Methodology
Audit Preparation Tips
OCR Audit Updates
Company Introduction
HIPAA Compliance & Data Security
Healthcare compliance and risk Mgt.
Experts in talent, solutions and methodologies
Dedicated to constant improvement
HIPAA One® Risk analysis software:
Over 2,400 sites (CEs and BAs) protecting ePHI
Automation of all mundane labor-intensive activities
Privacy and Breach Notification recently added!
Developed and maintained in USA
Current with updated HIPAA Audit Protocol
Disclaimer: We are not attorneys, but as auditors must understand HIPAA!
9
Simple. Automated. Affordable.
HIPPOs and HIPAA
10
Simple. Automated. Affordable.
Problem – High Chance of an Audit
There are 5 ways to get audited:
1. Patient Complaint/Whistleblower
• Privacy (PHI), Security (ePHI) or possible Breach Notice
2. Breach Notice
• Omnibus update: all unauthorized disclosures are breaches
3. Meaningful Use
• Core Measure regarding “Protecting ePHI”
4. Random Audit
• Newman Research, Audit Protocol, ongoing audits
5. Business Associates
• Regardless “who’s fault” the CE is responsible
11
HIPAA Compliance Overview
1. Regulatory Compliance
PCI
HIPAA
SOX
GLBA
Health Insurance Portability and
Accountability Act (1996)
Title 1: Insurance Portability
Title II
Fraud & Abuse & Medical Liability
Reform
Administrative Simplifications
Privacy
Security
EDI (Electronic Data Interchange)
Transactions
Code Sets
Title III: Tax Related Health Provisions
Title IV: Group Health Plan Requirements
Title IV: Revenue Offsets
2. HIPAA
3. Office for Civil Rights: Compliant?
YES
NO
SECURITY RISK ANALYSIS
AUDIT ENFORCEMENT
12
Where is your ePHI?
13
Simple. Automated. Affordable.
In a Breach, Who reports?
Covered Entities (CE)
Are responsible for reporting breach to
the HHS upon discovery if 500 or more and not later than 60 days after
the end of each calendar year if less that 500
individuals affected without unreasonable delay, but in no event later
than 60 days after the discovery of the breach
prominent media outlets if 500 or more
Business Associates (BA)
Are responsible for reporting breaches to the CE following the
discovery of a breach of unsecured protected health
information.
14
Simple. Automated. Affordable.
In a Breach, Who pays?
Covered Entities (CE) § 160.402(c)(1) “A covered entity is liable…for a violation based on the
act or omission of any agent of the covered entity, including a workforce
member or business associate, acting within the scope of the agency.”
Business Associates (BA) § 160.402(c)(2) “A business associate is liable…for a violation based on the
act or omission of any agent of the business associate, including a
workforce member or subcontractor, acting within the scope of the
agency.”
15
Simple. Automated. Affordable.
How to Prepare For An Audit?
Perform a comprehensive HIPAA Security Risk Analysis
React: Implement plans to remediate deficiencies
Understand HIPAA Compliance vs Security
HIPAA Security is the effort to safeguard ePHI to preserve
confidentiality, availability and integrity of the data
HIPAA Compliance is the act proving the organization’s
intent to meet the requirements of the HIPAA Security Rule
OCR’s Final Guidance on Risk Analysis:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalintro.html
16
Simple. Automated. Affordable.
MACRA introduces CMS QPP
MACRA streamlines existing quality reporting programs into one NEW
Quality Payment Program (QPP), and expands the potential rewards for
adopting risk-based contracts.
MIPS APMs
Merit-Based Incentive Payment SystemCombines aspects of the MU, PQRS, and
VM programs – plus clinical practice
improvement activities.
Participants receive a score, which results
in an incentive payment or penalty
dependent on scoring relative to peers.
Alternative Payment ModelsFor providers with a significant portion of
revenue coming from two-sided risk
contracts, many of which are being
designed by CMS.
Participants are exempt from MIPS
requirements, and may be rewarded
annual bonuses of up to 5%.
QPP performance in 2017 will impact Medicare payments in 2019.
Stay tuned for more information!
17
HIPAA Audit Protocol Update
All protocols have been updated
More Policies and Procedures
Asking for evidence demonstrating
compliance
Security: BAAs & Plan Sponsors need
“Satisfactory Assurances”
Privacy: Minimum Necessary between CEs
Breach: Training, Complaints, Sanctions
Over 1654 updates in total
Ensure your software is updated!
18
How is a HIPAA RA Done using:
Step 1 – Gather Information, Interviews, Inventory, etc.
Participant login, answer simple questions and interview.
Step 2 – Remediation Planning
Results of Step 1, Develop and Assign tasks
Step 3 – Sign & Add Reviewers Ongoing Remediation, tracking and documentation
19
Working Demonstration
20
Step 1 – Gather Information
21
Interviews & Automatic NIST 800-30
22
Project Management Screen
23
Automated, Calculated Results
24
Assign Tasks
25
Ongoing Remediation
26
Final Report
27
SRA Pitfalls and Quick-Tips
Do not be embarrassed to answer “NO”
Pressure to remediate during assessment
Don’t do this! Finish entire process ASAP.
Click on “Yes”, “No” button for more information
Spend time in remediation planning
Itentive HIPAA Risk AnalysisItentive can assist you in performing a thorough and accurate HIPAA Security Risk Analysis
• Itentive will manage your HIPAA Security Risk Analysis and guide you, step-by-step through the entire process
• Our methodology leverages the proven and tested HIPAA One software platform which includes a comprehensive set of compliance questions and acts as a repository for maintaining the interview responses, supporting documentation and remediation action plan
• We will:
Review your interview responses and supporting materials and identify areas which need additional information or clarification
Identify threats/vulnerabilities and analyze controls in place
Guide the development of your remediation plan prioritizing risks by likelihood and impact
Help you track and document your ongoing remediation efforts throughout the year
Be available as a resource to answer your HIPAA and Meaningful Use compliance related questions
Questions
Christ Floros
• Managing Consultant, Security & Compliance at Itentive Healthcare Solutions
• 224-220-5533