private & confidential compliancy group, llc. © 2017 1 · 2019-10-09 · started in 2005 by...
TRANSCRIPT
![Page 1: Private & Confidential Compliancy Group, LLC. © 2017 1 · 2019-10-09 · Started in 2005 by HIPAA auditors & Compliance experts § Market need for a total end client solution §](https://reader034.vdocuments.mx/reader034/viewer/2022042223/5ec99ff719c36801164fcddb/html5/thumbnails/1.jpg)
Private & Confidential Compliancy Group, LLC. © 2017 1
![Page 2: Private & Confidential Compliancy Group, LLC. © 2017 1 · 2019-10-09 · Started in 2005 by HIPAA auditors & Compliance experts § Market need for a total end client solution §](https://reader034.vdocuments.mx/reader034/viewer/2022042223/5ec99ff719c36801164fcddb/html5/thumbnails/2.jpg)
Private & Confidential Compliancy Group, LLC. © 2017 2
Compliancy Group Started in 2005 by HIPAA auditors & Compliance experts
§ Market need for a total end client solution
§ Created The Guard: cloud-based solution
Compliance is our business
§ No client has ever failed an OCR or CMS audit!
§ 100% of our clients would refer us to a friend
§ Recognized Leader of Compliance
• Top Compliance Tools & Emerging Vendor CRN
• More than 40 medical associations and technology
providers – hosting, EHR, IT, Security
• 2017 ChannelPro Visionary
• CompTIA Channel Advisory Board
• CompTIA Business Applications Advisory Council
• Achievements in Health Care Spirit of Advocacy Award, Long Island Business News (LIBN)
Meet Your Expert
Visionary Contributor Proud Sponsor Endorsed Partner
Marc Haskelson
Compliancy Group, CEO
CompTIA Channel Advisory Board – Co Chair
CompTIA Business Applications Advisory Council – Chair
Health Care Compliance Association - Member
![Page 3: Private & Confidential Compliancy Group, LLC. © 2017 1 · 2019-10-09 · Started in 2005 by HIPAA auditors & Compliance experts § Market need for a total end client solution §](https://reader034.vdocuments.mx/reader034/viewer/2022042223/5ec99ff719c36801164fcddb/html5/thumbnails/3.jpg)
Private & Confidential Compliancy Group, LLC. © 2017 3
Agenda
Audits Overview
HIPAA Basics
HIPAA Compliance Checklist
Total Compliance
![Page 4: Private & Confidential Compliancy Group, LLC. © 2017 1 · 2019-10-09 · Started in 2005 by HIPAA auditors & Compliance experts § Market need for a total end client solution §](https://reader034.vdocuments.mx/reader034/viewer/2022042223/5ec99ff719c36801164fcddb/html5/thumbnails/4.jpg)
Private & Confidential Compliancy Group, LLC. © 2017 4
Your role in Health Care
q What is your primary role in Health Care?
q Covered Entity (Doctors/Health Care provider/Practitioner)
q Business Associate (Vendor or provider of support services)
q Both
q Not Sure
![Page 5: Private & Confidential Compliancy Group, LLC. © 2017 1 · 2019-10-09 · Started in 2005 by HIPAA auditors & Compliance experts § Market need for a total end client solution §](https://reader034.vdocuments.mx/reader034/viewer/2022042223/5ec99ff719c36801164fcddb/html5/thumbnails/5.jpg)
Private & Confidential Compliancy Group, LLC. © 2017 5
HHS Wall of Shame
Based on HHS Breach Portal: Breaches Affecting 500 or More Individuals, “Type of Breach” https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
![Page 6: Private & Confidential Compliancy Group, LLC. © 2017 1 · 2019-10-09 · Started in 2005 by HIPAA auditors & Compliance experts § Market need for a total end client solution §](https://reader034.vdocuments.mx/reader034/viewer/2022042223/5ec99ff719c36801164fcddb/html5/thumbnails/6.jpg)
Private & Confidential Compliancy Group, LLC. © 2017 6
Sources of Breaches
56%
Caused by Theft or Loss-related reasons
https://www.healthcare-informatics.com/news-item/cybersecurity/study-30-percent-patient-data-breaches-involve-business-associates
11%
Involved Business Associates
30%
Caused by Hacking or IT incident
![Page 7: Private & Confidential Compliancy Group, LLC. © 2017 1 · 2019-10-09 · Started in 2005 by HIPAA auditors & Compliance experts § Market need for a total end client solution §](https://reader034.vdocuments.mx/reader034/viewer/2022042223/5ec99ff719c36801164fcddb/html5/thumbnails/7.jpg)
Private & Confidential Compliancy Group, LLC. © 2017 7
Causes Of A HIPAA Audit
?% Breach Notification
Business Associates
Phase 2 Random
Meaningful Use Failure
Reported
• Whistleblower
• Complaint
HHS is REQUIRED by law to investigate ALL HIPAA violation complaints
?%
![Page 8: Private & Confidential Compliancy Group, LLC. © 2017 1 · 2019-10-09 · Started in 2005 by HIPAA auditors & Compliance experts § Market need for a total end client solution §](https://reader034.vdocuments.mx/reader034/viewer/2022042223/5ec99ff719c36801164fcddb/html5/thumbnails/8.jpg)
Private & Confidential Compliancy Group, LLC. © 2017 8
The Seven Fundamental Elements of an
Effective Compliance Program Compliance according to HHS:
1. Implementing written policies, procedures and standards of conduct.
2. Designating a compliance officer and compliance committee.
3. Conducting effective training and education.
4. Developing effective lines of communication.
5. Conducting internal monitoring and auditing.
6. Enforcing standards through well-publicized disciplinary guidelines.
7. Responding promptly to detected offenses and undertaking corrective action.
*Source HHS & OIG
![Page 9: Private & Confidential Compliancy Group, LLC. © 2017 1 · 2019-10-09 · Started in 2005 by HIPAA auditors & Compliance experts § Market need for a total end client solution §](https://reader034.vdocuments.mx/reader034/viewer/2022042223/5ec99ff719c36801164fcddb/html5/thumbnails/9.jpg)
Private & Confidential Compliancy Group, LLC. © 2017 9
The Process Of An Audit
Results
Corrective Action Plan Fines
On Site Audit
Review of all 7 Elements of Effective Compliance
Desk Audit
Request for Gap and Remediation Report
![Page 10: Private & Confidential Compliancy Group, LLC. © 2017 1 · 2019-10-09 · Started in 2005 by HIPAA auditors & Compliance experts § Market need for a total end client solution §](https://reader034.vdocuments.mx/reader034/viewer/2022042223/5ec99ff719c36801164fcddb/html5/thumbnails/10.jpg)
Private & Confidential Compliancy Group, LLC. © 2017 10
HIPAA Compliance Checklist
![Page 11: Private & Confidential Compliancy Group, LLC. © 2017 1 · 2019-10-09 · Started in 2005 by HIPAA auditors & Compliance experts § Market need for a total end client solution §](https://reader034.vdocuments.mx/reader034/viewer/2022042223/5ec99ff719c36801164fcddb/html5/thumbnails/11.jpg)
Private & Confidential Compliancy Group, LLC. © 2017 11
Checklist
q Which of the following Audits have you completed
(within the last year)?
q Security Risk Assessment
q Privacy Assessment
q Administrative Assessment
q I have not completed any audits within the last year
q I’ve completed ALL Six federally required audits within the last year
Audits SRA (Security Risk
Assessment),
Administrative,
Privacy
![Page 12: Private & Confidential Compliancy Group, LLC. © 2017 1 · 2019-10-09 · Started in 2005 by HIPAA auditors & Compliance experts § Market need for a total end client solution §](https://reader034.vdocuments.mx/reader034/viewer/2022042223/5ec99ff719c36801164fcddb/html5/thumbnails/12.jpg)
Private & Confidential Compliancy Group, LLC. © 2017 12
Risk Assessment is NOT Enough
§ Who: OHSU (Oregon Health & Science University)
§ What: Reports of unencrypted laptops, stolen unencrypted thumb drive, 1,361 patient records
§ Why: Conducted SIX risk assessments in (2003, 2005, 2006, 2008, 2010, 2013) but did not address the widespread vulnerabilities. Also, lacked policies & procedures. Lack of BAA.
§ Settlement: $2.7 Million & CAP
“From well-publicized large scale breaches and findings in their own risk analyses, OHSU had every opportunity to address security management processes that were insufficient. Furthermore, OHSU
should have addressed the lack of a business associate agreement before allowing a vendor to store
ePHI,” said OCR Director Jocelyn Samuels. “This settlement underscores the importance of leadership engagement and why it is so critical for the C-suite to take HIPAA compliance seriously.”
http://www.hhs.gov/about/news/2016/07/18/widespread-hipaa-vulnerabilities-result-in-settlement-with-oregon-health-science-university.html
![Page 13: Private & Confidential Compliancy Group, LLC. © 2017 1 · 2019-10-09 · Started in 2005 by HIPAA auditors & Compliance experts § Market need for a total end client solution §](https://reader034.vdocuments.mx/reader034/viewer/2022042223/5ec99ff719c36801164fcddb/html5/thumbnails/13.jpg)
Private & Confidential Compliancy Group, LLC. © 2017 13
Checklist
q Which of the following audits have you identified deficiencies and created written remediation plans for?
q Security Risk Assessment
q Privacy Assessment
q Administrative Assessment
q I have no formal remediation plan
Audits SRA (Security Risk
Assessment),
Administrative,
Privacy
Remediation Plans
q I’ve identified deficiencies & created written remediation plans for all
![Page 14: Private & Confidential Compliancy Group, LLC. © 2017 1 · 2019-10-09 · Started in 2005 by HIPAA auditors & Compliance experts § Market need for a total end client solution §](https://reader034.vdocuments.mx/reader034/viewer/2022042223/5ec99ff719c36801164fcddb/html5/thumbnails/14.jpg)
Private & Confidential Compliancy Group, LLC. © 2017 14
Implement Remediation Plans!
§ Who: MAPFRE (Insurance Company of Puerto Rico)
§ What: USB drive stolen (2,209 PHI)
§ Why: Failure to conduct Risk Analysis;
• Failure to implement risk management plans
• Failure to deploy encryption on PHI devices
• Failed to implement/delayed implementing corrective measures
§ Settlement: $2.2 Million & CAP
https://www.hhs.gov/about/news/2017/01/18/hipaa-settlement-demonstrates-importance-implementing-safeguards-ephi.html
“Covered entities must not only make assessments to safeguard ePHI, they must act on those assessments as well” said OCR Director Jocelyn Samuels. “OCR works tirelessly and collaboratively
with covered entities to set clear expectations and consequences.”
![Page 15: Private & Confidential Compliancy Group, LLC. © 2017 1 · 2019-10-09 · Started in 2005 by HIPAA auditors & Compliance experts § Market need for a total end client solution §](https://reader034.vdocuments.mx/reader034/viewer/2022042223/5ec99ff719c36801164fcddb/html5/thumbnails/15.jpg)
Private & Confidential Compliancy Group, LLC. © 2017 15
Checklist
q Do ALL staff members read and attest to HIPAA Policies and Procedures annually?
q No, not all of the staff members have
q No, not within the last year
q Yes, I have a staff meeting to review or they signed a code of conduct upon hire
q Yes, but I don’t have supporting documentation
q Yes, all staff members have read and I have supporting
documentation
Audits SRA (Security Risk
Assessment),
Administrative,
Privacy
Remediation Plans
Policies, Procedures & Training
![Page 16: Private & Confidential Compliancy Group, LLC. © 2017 1 · 2019-10-09 · Started in 2005 by HIPAA auditors & Compliance experts § Market need for a total end client solution §](https://reader034.vdocuments.mx/reader034/viewer/2022042223/5ec99ff719c36801164fcddb/html5/thumbnails/16.jpg)
Private & Confidential Compliancy Group, LLC. © 2017 16
Policies & Procedures Are a MUST
§ Who: Lincare (Respiratory Care)
§ What: Employee left behind documents (278 PHI) after moving. Lincare claimed it did not violate HIPAA. Admin Law Judge ruled in favor of OCR for civil monetary penalty.
§ Why: Inadequate policies & procedures;
• Minimal action to correct after complaint
§ Ruling: $239,800 & CAP
http://www.modernhealthcare.com/article/20160209/NEWS/160209856
“While OCR prefers to resolve issues through voluntary compliance, this case shows that we will take the steps necessary, including litigation, to obtain adequate remedies for violations of the HIPAA
Rules,” said OCR Director Jocelyn Samuels.
![Page 17: Private & Confidential Compliancy Group, LLC. © 2017 1 · 2019-10-09 · Started in 2005 by HIPAA auditors & Compliance experts § Market need for a total end client solution §](https://reader034.vdocuments.mx/reader034/viewer/2022042223/5ec99ff719c36801164fcddb/html5/thumbnails/17.jpg)
Private & Confidential Compliancy Group, LLC. © 2017 17
Checklist q Do ALL staff members undergo basic HIPAA training annually?
Audits SRA (Security Risk
Assessment),
Administrative,
Privacy
Remediation Plans
Policies, Procedures & Training
Document Version,
Employee Attestation &
Tracking
q No, not within the last year
q Yes, I have an annual staff meeting
q Yes, I assign my staff members to review education material
online or take association training
q Yes, each of my staff members have legally attested to training
Compliance Tip: A a staff member MUST be designated as the HIPAA Compliance, Privacy, and/or Security Officer
![Page 18: Private & Confidential Compliancy Group, LLC. © 2017 1 · 2019-10-09 · Started in 2005 by HIPAA auditors & Compliance experts § Market need for a total end client solution §](https://reader034.vdocuments.mx/reader034/viewer/2022042223/5ec99ff719c36801164fcddb/html5/thumbnails/18.jpg)
Private & Confidential Compliancy Group, LLC. © 2017 18
Avoidable Breach
§ Who: Nonprofit org. - Anchorage Community Mental Health Services (ACMHS)
§ What: Malware caused breach of unsecured ePHI
§ Why: ACMHS could have avoided the breach (and not be subject to the settlement agreement), if it had followed its own policies and procedures (training)
§ Ruling: $150,000 & CAP
http://www.healthcareitnews.com/news/hhs-slaps-group-150k-hipaa-breach-bill
“ACMHS had adopted policies and procedures in 2005, but these policies and procedures were not followed and/or updated.”
![Page 19: Private & Confidential Compliancy Group, LLC. © 2017 1 · 2019-10-09 · Started in 2005 by HIPAA auditors & Compliance experts § Market need for a total end client solution §](https://reader034.vdocuments.mx/reader034/viewer/2022042223/5ec99ff719c36801164fcddb/html5/thumbnails/19.jpg)
Private & Confidential Compliancy Group, LLC. © 2017 19
Checklist
q Have you identified all your BAs (business associates) and have BAAs (Business Associate Agreements) in place with them?
q No, I have not
q Yes, but I only have BAAs for some
q Yes, but they refuse to sign BAAs
q Yes, I have BAAs for all and conducted a technical due diligence
Audits SRA (Security Risk
Assessment),
Administrative,
Privacy
Remediation Plans
Policies, Procedures & Training
Business Associate
Management
Document Version,
Employee Attestation &
Tracking
![Page 20: Private & Confidential Compliancy Group, LLC. © 2017 1 · 2019-10-09 · Started in 2005 by HIPAA auditors & Compliance experts § Market need for a total end client solution §](https://reader034.vdocuments.mx/reader034/viewer/2022042223/5ec99ff719c36801164fcddb/html5/thumbnails/20.jpg)
Private & Confidential Compliancy Group, LLC. © 2017 20
Importance of BAAs
§ Who: North Memorial Health Care of Minnesota
§ What: Laptop theft, 6,497 patient records
§ Why: No BAA with Billing firm;
• Failed to complete a risk analysis to address all potential risks and vulnerabilities to ePHI
§ Settlement: $1.55 Million & CAP
“Two major cornerstones of the HIPAA Rules were overlooked by this entity,” said Jocelyn Samuels, Director of OCR. “Organizations must have in place compliant Business Associate Agreements as well
as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.
http://www.hhs.gov/about/news/2016/03/16/155-million-settlement-underscores-importance-executing-hipaa-business-associate-agreements.html
![Page 21: Private & Confidential Compliancy Group, LLC. © 2017 1 · 2019-10-09 · Started in 2005 by HIPAA auditors & Compliance experts § Market need for a total end client solution §](https://reader034.vdocuments.mx/reader034/viewer/2022042223/5ec99ff719c36801164fcddb/html5/thumbnails/21.jpg)
Private & Confidential Compliancy Group, LLC. © 2017 21
Checklist
q Do you have a formal management process in the event of incidents or breaches?
q I manually track and manage the investigation of all incidents and breaches
q I have no formal process
q I use a tool
q I don’t have any and if I did why should I track it?
Compliance Tip: Your staff members must have the ability to anonymously report an incident.
Audits SRA (Security Risk
Assessment),
Administrative,
Privacy
Remediation Plans
Policies, Procedures & Training
Business Associate
Management
Incident Management &
Remediation
Document Version,
Employee Attestation &
Tracking
![Page 22: Private & Confidential Compliancy Group, LLC. © 2017 1 · 2019-10-09 · Started in 2005 by HIPAA auditors & Compliance experts § Market need for a total end client solution §](https://reader034.vdocuments.mx/reader034/viewer/2022042223/5ec99ff719c36801164fcddb/html5/thumbnails/22.jpg)
Private & Confidential Compliancy Group, LLC. © 2017 22
Report Breaches Immediately!
§ Who: Presence Health
§ What: Missing paper schedules (836 PHI)
§ Why: Failed to notify within 60 days of discovery:
• Media outlets
• OCR
• Individuals affected
§ Settlement: $475,000 & CAP
https://www.hhs.gov/about/news/2017/01/09/first-hipaa-enforcement-action-lack-timely-breach-notification-settles-475000.html
“Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements” said OCR Director Jocelyn Samuels. “Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate
any potential harm caused by the breach.”
![Page 23: Private & Confidential Compliancy Group, LLC. © 2017 1 · 2019-10-09 · Started in 2005 by HIPAA auditors & Compliance experts § Market need for a total end client solution §](https://reader034.vdocuments.mx/reader034/viewer/2022042223/5ec99ff719c36801164fcddb/html5/thumbnails/23.jpg)
Private & Confidential Compliancy Group, LLC. © 2017 23
What Information Does HIPAA Protect?
§ Names
§ Addresses
§ Dates of Service
§ Telephone Numbers
§ Fax Numbers
§ Email Addresses
§ Social Security Numbers
§ Medical Record Numbers
§ Health Plan Beneficiary Numbers
§ Account Numbers
§ Certificate/License Numbers
§ Vehicle identifiers/Serial Numbers
§ Device identifiers and serial numbers
§ Web Universal Resource Locators (URLs)
§ Internet Protocol (IP) address numbers;
§ Biometric identifiers
§ Full Face Photos or Videos
§ Any other unique identifying number, characteristic, or code
PHI may include any of the following:
![Page 24: Private & Confidential Compliancy Group, LLC. © 2017 1 · 2019-10-09 · Started in 2005 by HIPAA auditors & Compliance experts § Market need for a total end client solution §](https://reader034.vdocuments.mx/reader034/viewer/2022042223/5ec99ff719c36801164fcddb/html5/thumbnails/24.jpg)
Private & Confidential Compliancy Group, LLC. © 2017 24
HIPAA misunderstandings?
§ Compliance vs. Security
• Fines vs. Risk
§ HIPAA/HITECH
• Protect patient confidentiality while furthering
innovation and patient care
• Privacy Rule and Security Rule
§ Meaningful Use/MIPS/MACRA attestations
• Accelerate adoption of EHR (electronic Health
records)
§ Omnibus Rule
• Business Associates must be HIPAA compliant
• Covered Entities must have BAAs
§ Conduct Technical Due Diligence
• Breach Notification Rule
O M N I B U S
HITECH
HIPAA
M A C R A /M I P S
![Page 25: Private & Confidential Compliancy Group, LLC. © 2017 1 · 2019-10-09 · Started in 2005 by HIPAA auditors & Compliance experts § Market need for a total end client solution §](https://reader034.vdocuments.mx/reader034/viewer/2022042223/5ec99ff719c36801164fcddb/html5/thumbnails/25.jpg)
Private & Confidential Compliancy Group, LLC. © 2017 25
Important Definitions
Covered Entity (CE): Health care providers, health plans, health care clearinghouses who electronically transmit any Protected Health
Information (PHI)
Business Associate (BA): Any individual or organization that creates, receives, maintains or transmits PHI on behalf of a Covered Entity (CE)
Subcontractor: Create, receive, maintain or transmit PHI on behalf of a BA
![Page 26: Private & Confidential Compliancy Group, LLC. © 2017 1 · 2019-10-09 · Started in 2005 by HIPAA auditors & Compliance experts § Market need for a total end client solution §](https://reader034.vdocuments.mx/reader034/viewer/2022042223/5ec99ff719c36801164fcddb/html5/thumbnails/26.jpg)
Private & Confidential Compliancy Group, LLC. © 2017 26
Important Definitions (Continued)
§ The HIPAA privacy rule defines the type of information that must be kept private by categorizing it as “Protected Health Information,” or PHI for
short.
§ PHI can exist in written, oral, and electronic formats
§ HIPAA requires administrative, physical, and technical safeguards to be implemented to address the confidentiality, integrity, and availability of
ELECTRONIC PROTECTED HEALTH INFORMATION (ePHI).
![Page 27: Private & Confidential Compliancy Group, LLC. © 2017 1 · 2019-10-09 · Started in 2005 by HIPAA auditors & Compliance experts § Market need for a total end client solution §](https://reader034.vdocuments.mx/reader034/viewer/2022042223/5ec99ff719c36801164fcddb/html5/thumbnails/27.jpg)
Private & Confidential Compliancy Group, LLC. © 2017 27
Compliance vs. Security
§ Audits • Security, Privacy, and Administrative
§ Gap Identification § Remediation
§ Policies & Procedures § Employee Training & Attestation
§ Business Associate Management • BA Agreements & Audit
§ Incident Management
§ Security Risk Analysis § Penetration Testing
§ Remediation • Vulnerability Remediation
§ Prevention • System Hardening
§ Detection • Behavioral monitoring
• Network Security Monitoring
REPUTATION
FINES
REPUTATION
Security Risk Assessment
RISK
![Page 28: Private & Confidential Compliancy Group, LLC. © 2017 1 · 2019-10-09 · Started in 2005 by HIPAA auditors & Compliance experts § Market need for a total end client solution §](https://reader034.vdocuments.mx/reader034/viewer/2022042223/5ec99ff719c36801164fcddb/html5/thumbnails/28.jpg)
Private & Confidential Compliancy Group, LLC. © 2017 28
Physical Audit
Requires safeguards to ensure only those who should have access to
electronic protected health information (ePHI) will have
access.
Security Rule
Administrative/Privacy Audit
Security/Technical Audit
Sets standards for when protected health
information (PHI) may be used and disclosed.
Privacy Rule
Breaches of unsecured PHI require notifying HHS,
affected individuals, and in some cases the media.
Breach Notification Rule
Meaningful Use/MIPS Risk Assessment
![Page 29: Private & Confidential Compliancy Group, LLC. © 2017 1 · 2019-10-09 · Started in 2005 by HIPAA auditors & Compliance experts § Market need for a total end client solution §](https://reader034.vdocuments.mx/reader034/viewer/2022042223/5ec99ff719c36801164fcddb/html5/thumbnails/29.jpg)
Private & Confidential Compliancy Group, LLC. © 2017 29
Omnibus Rule
§ Business Associates
• Direct liability by function
• Directly liable for violations
• Must be HIPAA Compliant (Security Rule)
§ Technical, Administrative, & Physical Safeguards
§ Covered Entities
• Compliance with Privacy Rule
• Must have BAAs (Business Associate Agreements)
• Conduct a Technical Due Diligence
![Page 30: Private & Confidential Compliancy Group, LLC. © 2017 1 · 2019-10-09 · Started in 2005 by HIPAA auditors & Compliance experts § Market need for a total end client solution §](https://reader034.vdocuments.mx/reader034/viewer/2022042223/5ec99ff719c36801164fcddb/html5/thumbnails/30.jpg)
Private & Confidential Compliancy Group, LLC. © 2017 30
“All too often we see covered entities with a limited risk analysis”
“Organizations must have in place compliant business associate
agreements as well as an accurate and thorough risk analysis”
“We take seriously all complaints filed by individuals, and will seek the
necessary remedies to ensure that patients’ privacy is fully protected.”
- Jocelyn Samuels, Director of OCR
Why Should I Worry About HIPAA?
HIPAA is the Law
§ HIPAA is confusing
• SRA (Security Risk Assessment)
• Policies & Procedures
• Training
§ Current market solutions only address pieces of compliance
§ Enforcement is on the rise é
• Record fines levied: $40+ Million since 2016
• Three prison sentences
• Medical license revoked
• State Attorney General levying fines
* $23,979,800 FY 2016, http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html
Policies, Procedures & Training
Audits SRA (Security Risk
Assessment)
?
?
?
?
Security Remediation
Efforts
![Page 31: Private & Confidential Compliancy Group, LLC. © 2017 1 · 2019-10-09 · Started in 2005 by HIPAA auditors & Compliance experts § Market need for a total end client solution §](https://reader034.vdocuments.mx/reader034/viewer/2022042223/5ec99ff719c36801164fcddb/html5/thumbnails/31.jpg)
Private & Confidential Compliancy Group, LLC. © 2017 31
Audits SRA (Security Risk
Assessment),
Administrative,
Privacy
Remediation Plans
Policies, Procedures & Training
Business Associate
Management
Incident Management &
Remediation
Document Version,
Employee Attestation &
Tracking
Partial Compliance Total Compliance
Policies, Procedures & Training
Audits SRA (Security Risk
Assessment)
?
?
?
?
Security Remediation
Efforts
![Page 32: Private & Confidential Compliancy Group, LLC. © 2017 1 · 2019-10-09 · Started in 2005 by HIPAA auditors & Compliance experts § Market need for a total end client solution §](https://reader034.vdocuments.mx/reader034/viewer/2022042223/5ec99ff719c36801164fcddb/html5/thumbnails/32.jpg)
Private & Confidential Compliancy Group, LLC. © 2017 32
Need help with the Checklist?
§ One of our team members will reach out and provide you with a complimentary walkthrough of the checklist and address any of your compliance questions.
![Page 33: Private & Confidential Compliancy Group, LLC. © 2017 1 · 2019-10-09 · Started in 2005 by HIPAA auditors & Compliance experts § Market need for a total end client solution §](https://reader034.vdocuments.mx/reader034/viewer/2022042223/5ec99ff719c36801164fcddb/html5/thumbnails/33.jpg)
Private & Confidential Compliancy Group, LLC. © 2017 33
Marc Haskelson
President & CEO
855.854.4722 Ext 507
Questions?
For more information, contact:
Compliancy Group
855.854.4722 [email protected]