© hipaa continuity planners 2012 1 hipaa mandates a plan! (beyond hardware and software) presented...

© HIPAA Continuity Planners 2012

1

HIPAA Mandates a PLAN!(beyond hardware and software)

Presented in Partnership with

855.85HIPAAwww.compliancygroup.c

om

Compliance Simplified – Achieve , Illustrate, Maintain

Industry leading Education

Certified Partner Program

Todays Webinar

• Please ask questions via questions or chat

• Todays slides are available http://compliancy-group.com/slides023/

• Past webinars and recordingshttp://compliancy-group.com/webinar/


3

HIPAA Mandates:

• Risk Analysis• Continuity Plan• Security Procedures• An Incident Response Plan• Contact Procedures• Documentation• Employee Training


4

Processes and Procedures Risk Analysis

Process of identifying possible external and internal conditions, events or situations, determination of causal

relationships between probable happenings, their magnitude with likely

outcomes, as they might effect the continuing operation of the office.


5

Processes and Procedures Continuity Plan

Set of documents, instructions, and procedures which enable a business to respond to accidents, disasters, emergencies, and threats without any stoppage or hindrance in its key operations.

Business resumption plan, disaster recovery plan, or resilience plan*

* From BusinessDictionary.com


6

Processes and Procedures

SecurityHIPAA mandates security procedures for:• Premises Access• Computer Access authorization• Server Access• Log-in Monitoring• Password management• Health information sharing• Termination procedures• Compliance Tracking Software with logs• Business Associates


7

Processes and Procedures for Incident Response Plan

Some steps of the IRP may include the following:

• Define the incident – what happened? When did it happen? Who was involved? When was it discovered?

• Stop the incident – if a smartphone is lost take the steps to disable the access, if a breach is found take the steps to prevent further access, etc.

• Document the incident – fill in all the details of what occurred from step 1 (define the incident) and step 2 (steps taken to stop the incident). Clearly document all aspects of the incident.


8

Processes and Procedures for Incident Response Plan

• Notify appropriate individuals / agencies –the amount of patient records affected will determine what notification steps are needed. Individual patients and Health and Human Services (HHS) will need to be notified. In addition, local media may need to be notified as well.

• Provide guidance to prevent the incident from occurring again – an important aspect of an incident response is to ensure that the same incident does not happen in the future. Recommendations to increase security and reduce the risk of an incident are essential.


9

Processes and Procedures Contact Plan

Establish:• Procedures to contact employees via

telephone, text and/or email in case of office closing.

• A copy of employee emergency notification outside of the office

• A copy of patient contacts for daily appointments be available outside the office for notification of an office closing.


10

DocumentationHIPAA required documentation:

• Risk Analysis• Written Continuity Plan• Security Procedures• Emergency operation mode plan• Periodic Evaluations• Compliance Tracking Software with

logs


11

Training

• Security Awareness Training• Computer Security• Incident Command• Evacuation Procedures and Responsibility • Basic HIPAA Requirements• Employee buy-in through understanding


12

• Tier A is for violations in which the offender didn’t realize he or she violated the Act and would have handled the matter differently if he or she had. This results in a $100 fine for each violation, and the total imposed for such violations cannot exceed $25,000 for the calendar year.

• Tier B is for violations due to reasonable cause, but not “willful neglect.” The result is a $1,000 fine for each violation, and the fines cannot exceed $100,000 for the calendar year.

• Tier C is for violations due to willful neglect that the organization ultimately corrected , and the fines cannot exceed. The result is a $10,000 fine for each violation $250,000 for the calendar year.

• Tier D is for violations of willful neglect that the organization did not correct. The result is a $50,000 fine for each violation, and the fines cannot exceed $1,500,000 for the calendar year.

• The HITECH Act allows states attorneys general to levy fines and seek attorneys fees from covered entities on behalf of victims. Courts now have the ability to award costs, which they were previously unable to do.

HIPAA/HITECH Penalties

855.85HIPAAwww.compliancygroup.c

om

Compliance Simplified – Achieve , Illustrate, Maintain

Compliance Simplified!

Maintain

Illustrate

Achieve

Free Demo and 15 Day Evaluation855.85HIPAA

http://compliancy-group.com/

New & Past Webinarshttp://compliancy-group.com/

webinar/

HIPAA Compliance HITECH Attestation Meaningful Use core measure

15


14

Questions?

A.J. (Andy) WeitzbergPresident

[email protected] Ofc516.641.4001 Cell

mailto:[email protected]

http://www.hipaacp.com/

© hipaa continuity planners 2012 1 hipaa mandates a plan! (beyond hardware and software) presented...

Documents

procedures continuity

hipaa continuity planners

procedures contact plan

resilience plan

comwebinar slide

business resumption

disaster recovery plan

notification steps