private & confidential compliancy group, llc. © 2017 1 · 2019-10-09 · started in 2005 by...


Compliancy Group Started in 2005 by HIPAA auditors & Compliance experts

§  Market need for a total end client solution

§  Created The Guard: cloud-based solution

Compliance is our business

§  No client has ever failed an OCR or CMS audit!

§  100% of our clients would refer us to a friend

§  Recognized Leader of Compliance

•  Top Compliance Tools & Emerging Vendor CRN

•  More than 40 medical associations and technology

providers – hosting, EHR, IT, Security

•  2017 ChannelPro Visionary

•  CompTIA Channel Advisory Board

•  CompTIA Business Applications Advisory Council

•  Achievements in Health Care Spirit of Advocacy Award, Long Island Business News (LIBN)

Meet Your Expert

Visionary Contributor Proud Sponsor Endorsed Partner

Marc Haskelson

Compliancy Group, CEO

[email protected]

CompTIA Channel Advisory Board – Co Chair

CompTIA Business Applications Advisory Council – Chair

Health Care Compliance Association - Member


Agenda

Audits Overview

HIPAA Basics

HIPAA Compliance Checklist

Total Compliance


Your role in Health Care

q What is your primary role in Health Care?

q  Covered Entity (Doctors/Health Care provider/Practitioner)

q  Business Associate (Vendor or provider of support services)

q  Both

q  Not Sure


HHS Wall of Shame

Based on HHS Breach Portal: Breaches Affecting 500 or More Individuals, “Type of Breach” https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf


Sources of Breaches

56%

Caused by Theft or Loss-related reasons

https://www.healthcare-informatics.com/news-item/cybersecurity/study-30-percent-patient-data-breaches-involve-business-associates

11%

Involved Business Associates

30%

Caused by Hacking or IT incident


Causes Of A HIPAA Audit

?% Breach Notification

Business Associates

Phase 2 Random

Meaningful Use Failure

Reported

• Whistleblower

• Complaint

HHS is REQUIRED by law to investigate ALL HIPAA violation complaints

?%


The Seven Fundamental Elements of an

Effective Compliance Program Compliance according to HHS:

1.  Implementing written policies, procedures and standards of conduct.

2.  Designating a compliance officer and compliance committee.

3.  Conducting effective training and education.

4.  Developing effective lines of communication.

5.  Conducting internal monitoring and auditing.

6.  Enforcing standards through well-publicized disciplinary guidelines.

7.  Responding promptly to detected offenses and undertaking corrective action.

*Source HHS & OIG


The Process Of An Audit

Results

Corrective Action Plan Fines

On Site Audit

Review of all 7 Elements of Effective Compliance

Desk Audit

Request for Gap and Remediation Report


HIPAA Compliance Checklist


Checklist

q Which of the following Audits have you completed

(within the last year)?

q  Security Risk Assessment

q  Privacy Assessment

q  Administrative Assessment

q  I have not completed any audits within the last year

q  I’ve completed ALL Six federally required audits within the last year

Audits SRA (Security Risk

Assessment),

Administrative,

Privacy


Risk Assessment is NOT Enough

§  Who: OHSU (Oregon Health & Science University)

§  What: Reports of unencrypted laptops, stolen unencrypted thumb drive, 1,361 patient records

§  Why: Conducted SIX risk assessments in (2003, 2005, 2006, 2008, 2010, 2013) but did not address the widespread vulnerabilities. Also, lacked policies & procedures. Lack of BAA.

§  Settlement: $2.7 Million & CAP

“From well-publicized large scale breaches and findings in their own risk analyses, OHSU had every opportunity to address security management processes that were insufficient. Furthermore, OHSU

should have addressed the lack of a business associate agreement before allowing a vendor to store

ePHI,” said OCR Director Jocelyn Samuels. “This settlement underscores the importance of leadership engagement and why it is so critical for the C-suite to take HIPAA compliance seriously.”

http://www.hhs.gov/about/news/2016/07/18/widespread-hipaa-vulnerabilities-result-in-settlement-with-oregon-health-science-university.html


Checklist

q Which of the following audits have you identified deficiencies and created written remediation plans for?

q  Security Risk Assessment

q  Privacy Assessment

q  Administrative Assessment

q  I have no formal remediation plan


Assessment),

Administrative,

Privacy

Remediation Plans

q  I’ve identified deficiencies & created written remediation plans for all


Implement Remediation Plans!

§  Who: MAPFRE (Insurance Company of Puerto Rico)

§  What: USB drive stolen (2,209 PHI)

§  Why: Failure to conduct Risk Analysis;

•  Failure to implement risk management plans

•  Failure to deploy encryption on PHI devices

•  Failed to implement/delayed implementing corrective measures


https://www.hhs.gov/about/news/2017/01/18/hipaa-settlement-demonstrates-importance-implementing-safeguards-ephi.html

“Covered entities must not only make assessments to safeguard ePHI, they must act on those assessments as well” said OCR Director Jocelyn Samuels. “OCR works tirelessly and collaboratively

with covered entities to set clear expectations and consequences.”


Checklist

q Do ALL staff members read and attest to HIPAA Policies and Procedures annually?

q  No, not all of the staff members have

q  No, not within the last year

q  Yes, I have a staff meeting to review or they signed a code of conduct upon hire

q  Yes, but I don’t have supporting documentation

q  Yes, all staff members have read and I have supporting

documentation


Assessment),

Administrative,

Privacy

Remediation Plans

Policies, Procedures & Training


Policies & Procedures Are a MUST

§  Who: Lincare (Respiratory Care)

§  What: Employee left behind documents (278 PHI) after moving. Lincare claimed it did not violate HIPAA. Admin Law Judge ruled in favor of OCR for civil monetary penalty.

§  Why: Inadequate policies & procedures;

•  Minimal action to correct after complaint

§  Ruling: $239,800 & CAP

http://www.modernhealthcare.com/article/20160209/NEWS/160209856

“While OCR prefers to resolve issues through voluntary compliance, this case shows that we will take the steps necessary, including litigation, to obtain adequate remedies for violations of the HIPAA

Rules,” said OCR Director Jocelyn Samuels.


Checklist q Do ALL staff members undergo basic HIPAA training annually?


Assessment),

Administrative,

Privacy

Remediation Plans


Document Version,

Employee Attestation &

Tracking

q  No, not within the last year

q  Yes, I have an annual staff meeting

q  Yes, I assign my staff members to review education material

online or take association training

q  Yes, each of my staff members have legally attested to training

Compliance Tip: A a staff member MUST be designated as the HIPAA Compliance, Privacy, and/or Security Officer


Avoidable Breach

§  Who: Nonprofit org. - Anchorage Community Mental Health Services (ACMHS)

§  What: Malware caused breach of unsecured ePHI

§  Why: ACMHS could have avoided the breach (and not be subject to the settlement agreement), if it had followed its own policies and procedures (training)

§  Ruling: $150,000 & CAP

http://www.healthcareitnews.com/news/hhs-slaps-group-150k-hipaa-breach-bill

“ACMHS had adopted policies and procedures in 2005, but these policies and procedures were not followed and/or updated.”


Checklist

q Have you identified all your BAs (business associates) and have BAAs (Business Associate Agreements) in place with them?

q  No, I have not

q  Yes, but I only have BAAs for some

q  Yes, but they refuse to sign BAAs

q  Yes, I have BAAs for all and conducted a technical due diligence


Assessment),

Administrative,

Privacy

Remediation Plans


Business Associate

Management

Document Version,


Tracking


Importance of BAAs

§  Who: North Memorial Health Care of Minnesota

§  What: Laptop theft, 6,497 patient records

§  Why: No BAA with Billing firm;

•  Failed to complete a risk analysis to address all potential risks and vulnerabilities to ePHI


“Two major cornerstones of the HIPAA Rules were overlooked by this entity,” said Jocelyn Samuels, Director of OCR. “Organizations must have in place compliant Business Associate Agreements as well

as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.

http://www.hhs.gov/about/news/2016/03/16/155-million-settlement-underscores-importance-executing-hipaa-business-associate-agreements.html


Checklist

q Do you have a formal management process in the event of incidents or breaches?

q  I manually track and manage the investigation of all incidents and breaches

q  I have no formal process

q  I use a tool

q  I don’t have any and if I did why should I track it?

Compliance Tip: Your staff members must have the ability to anonymously report an incident.


Assessment),

Administrative,

Privacy

Remediation Plans


Business Associate

Management

Incident Management &

Remediation

Document Version,


Tracking


Report Breaches Immediately!

§  Who: Presence Health

§  What: Missing paper schedules (836 PHI)

§  Why: Failed to notify within 60 days of discovery:

•  Media outlets

•  OCR

•  Individuals affected

§  Settlement: $475,000 & CAP

https://www.hhs.gov/about/news/2017/01/09/first-hipaa-enforcement-action-lack-timely-breach-notification-settles-475000.html

“Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements” said OCR Director Jocelyn Samuels. “Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate

any potential harm caused by the breach.”


What Information Does HIPAA Protect?

§  Names

§  Addresses

§  Dates of Service

§  Telephone Numbers

§  Fax Numbers

§  Email Addresses

§  Social Security Numbers

§  Medical Record Numbers

§  Health Plan Beneficiary Numbers

§  Account Numbers

§  Certificate/License Numbers

§  Vehicle identifiers/Serial Numbers

§  Device identifiers and serial numbers

§  Web Universal Resource Locators (URLs)

§  Internet Protocol (IP) address numbers;

§  Biometric identifiers

§  Full Face Photos or Videos

§  Any other unique identifying number, characteristic, or code

PHI may include any of the following:


HIPAA misunderstandings?

§  Compliance vs. Security

•  Fines vs. Risk

§  HIPAA/HITECH

•  Protect patient confidentiality while furthering

innovation and patient care

•  Privacy Rule and Security Rule

§  Meaningful Use/MIPS/MACRA attestations

•  Accelerate adoption of EHR (electronic Health

records)

§  Omnibus Rule

•  Business Associates must be HIPAA compliant

•  Covered Entities must have BAAs

§  Conduct Technical Due Diligence

•  Breach Notification Rule

O M N I B U S

HITECH

HIPAA

M A C R A /M I P S


Important Definitions

Covered Entity (CE): Health care providers, health plans, health care clearinghouses who electronically transmit any Protected Health

Information (PHI)

Business Associate (BA): Any individual or organization that creates, receives, maintains or transmits PHI on behalf of a Covered Entity (CE)

Subcontractor: Create, receive, maintain or transmit PHI on behalf of a BA


Important Definitions (Continued)

§  The HIPAA privacy rule defines the type of information that must be kept private by categorizing it as “Protected Health Information,” or PHI for

short.

§  PHI can exist in written, oral, and electronic formats

§  HIPAA requires administrative, physical, and technical safeguards to be implemented to address the confidentiality, integrity, and availability of

ELECTRONIC PROTECTED HEALTH INFORMATION (ePHI).


Compliance vs. Security

§  Audits •  Security, Privacy, and Administrative

§  Gap Identification §  Remediation

§  Policies & Procedures §  Employee Training & Attestation

§  Business Associate Management •  BA Agreements & Audit

§  Incident Management

§  Security Risk Analysis §  Penetration Testing

§  Remediation •  Vulnerability Remediation

§  Prevention •  System Hardening

§  Detection •  Behavioral monitoring

•  Network Security Monitoring

REPUTATION

FINES

REPUTATION

Security Risk Assessment

RISK


Physical Audit

Requires safeguards to ensure only those who should have access to

electronic protected health information (ePHI) will have

access.

Security Rule

Administrative/Privacy Audit

Security/Technical Audit

Sets standards for when protected health

information (PHI) may be used and disclosed.

Privacy Rule

Breaches of unsecured PHI require notifying HHS,

affected individuals, and in some cases the media.

Breach Notification Rule

Meaningful Use/MIPS Risk Assessment


Omnibus Rule

§  Business Associates

•  Direct liability by function

•  Directly liable for violations

•  Must be HIPAA Compliant (Security Rule)

§  Technical, Administrative, & Physical Safeguards

§  Covered Entities

•  Compliance with Privacy Rule

•  Must have BAAs (Business Associate Agreements)

•  Conduct a Technical Due Diligence


“All too often we see covered entities with a limited risk analysis”

“Organizations must have in place compliant business associate

agreements as well as an accurate and thorough risk analysis”

“We take seriously all complaints filed by individuals, and will seek the

necessary remedies to ensure that patients’ privacy is fully protected.”

- Jocelyn Samuels, Director of OCR

Why Should I Worry About HIPAA?

HIPAA is the Law

§  HIPAA is confusing

•  SRA (Security Risk Assessment)

•  Policies & Procedures

•  Training

§  Current market solutions only address pieces of compliance

§  Enforcement is on the rise é

•  Record fines levied: $40+ Million since 2016

•  Three prison sentences

•  Medical license revoked

•  State Attorney General levying fines

* $23,979,800 FY 2016, http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html



Assessment)

?

?

?

?

Security Remediation

Efforts



Assessment),

Administrative,

Privacy

Remediation Plans


Business Associate

Management

Incident Management &

Remediation

Document Version,


Tracking

Partial Compliance Total Compliance



Assessment)

?

?

?

?

Security Remediation

Efforts


Need help with the Checklist?

§  One of our team members will reach out and provide you with a complimentary walkthrough of the checklist and address any of your compliance questions.


Marc Haskelson

President & CEO

855.854.4722 Ext 507

[email protected]

Questions?

For more information, contact:

Compliancy Group

855.854.4722 [email protected]

private & confidential compliancy group, llc. © 2017 1 · 2019-10-09 · started in 2005 by...

Documents