Download - Surviving a HIPAA Audit: Five Crucial Steps
![Page 1: Surviving a HIPAA Audit: Five Crucial Steps](https://reader034.vdocument.in/reader034/viewer/2022052409/545b9611b1af9f97118b4775/html5/thumbnails/1.jpg)
855.85HIPAA www.compliancygroup.com
Industry leading Education
Certified Partner Program
• Please ask questions • For todays Slides http://compliancy-group.com/slides023/ • Todays & Past webinars go to: http://compliancy-group.com/webinar/
Get Involved.
#cgwebinar
![Page 2: Surviving a HIPAA Audit: Five Crucial Steps](https://reader034.vdocument.in/reader034/viewer/2022052409/545b9611b1af9f97118b4775/html5/thumbnails/2.jpg)
Surviving a HIPAA Audit: Five Crucial Steps RICHARD WAGNER
![Page 3: Surviving a HIPAA Audit: Five Crucial Steps](https://reader034.vdocument.in/reader034/viewer/2022052409/545b9611b1af9f97118b4775/html5/thumbnails/3.jpg)
Quick Poll #1
![Page 4: Surviving a HIPAA Audit: Five Crucial Steps](https://reader034.vdocument.in/reader034/viewer/2022052409/545b9611b1af9f97118b4775/html5/thumbnails/4.jpg)
Quick Takeaway The HIPAA Audit program sounds scary
Challenge – think of this as an opportunity ◦ IT/Security/Compliance: voice can be heard ◦ Providers: beHer serve your paIents in an increasingly unsecure environment
Overall theme: tackle the priority items, then move onto the other issues
![Page 5: Surviving a HIPAA Audit: Five Crucial Steps](https://reader034.vdocument.in/reader034/viewer/2022052409/545b9611b1af9f97118b4775/html5/thumbnails/5.jpg)
Agenda HIPAA Audit Program Overview
Pilot Program Results and Discussion
Five Steps to Surviving an Audit
QuesIons
![Page 6: Surviving a HIPAA Audit: Five Crucial Steps](https://reader034.vdocument.in/reader034/viewer/2022052409/545b9611b1af9f97118b4775/html5/thumbnails/6.jpg)
The HIPAA Audit Program Enacted into law in 2009 (ARRA/HITECH) Designed to combat ex post enforcement
HHS’ Office of Civil Rights (OCR) oversees program, but most work contracted out to consultants
Two pilot programs (2012 and 2013)
Permanent rollout in 2014
![Page 7: Surviving a HIPAA Audit: Five Crucial Steps](https://reader034.vdocument.in/reader034/viewer/2022052409/545b9611b1af9f97118b4775/html5/thumbnails/7.jpg)
Pilot: 2012-‐2013 Caveat: designed/implemented before Omnibus Rule ◦ Covered EnIIes only, no Business Associates ◦ Used old breach analysis, etc.
OCR findings ◦ Many issues, even intenIonal misrepresentaIons ◦ Small providers had the most difficulty ◦ Security flaws dominated findings
![Page 8: Surviving a HIPAA Audit: Five Crucial Steps](https://reader034.vdocument.in/reader034/viewer/2022052409/545b9611b1af9f97118b4775/html5/thumbnails/8.jpg)
Pilot Findings
![Page 9: Surviving a HIPAA Audit: Five Crucial Steps](https://reader034.vdocument.in/reader034/viewer/2022052409/545b9611b1af9f97118b4775/html5/thumbnails/9.jpg)
Privacy Rule Findings
![Page 10: Surviving a HIPAA Audit: Five Crucial Steps](https://reader034.vdocument.in/reader034/viewer/2022052409/545b9611b1af9f97118b4775/html5/thumbnails/10.jpg)
Security Rule Problems
![Page 11: Surviving a HIPAA Audit: Five Crucial Steps](https://reader034.vdocument.in/reader034/viewer/2022052409/545b9611b1af9f97118b4775/html5/thumbnails/11.jpg)
Points of Emphasis: Privacy Rule Policies and procedures Minimum Use
![Page 12: Surviving a HIPAA Audit: Five Crucial Steps](https://reader034.vdocument.in/reader034/viewer/2022052409/545b9611b1af9f97118b4775/html5/thumbnails/12.jpg)
Points of Emphasis: Security Rule Risk assessment, risk assessment, and risk assessment
Mobile device security ◦ Data in moIon ◦ Data at rest
Security incident procedures ◦ Ever more important a`er HIPAA Omnibus RegulaIons went into effect
![Page 13: Surviving a HIPAA Audit: Five Crucial Steps](https://reader034.vdocument.in/reader034/viewer/2022052409/545b9611b1af9f97118b4775/html5/thumbnails/13.jpg)
HIPAA Audit Survival THE FIVE STEPS
![Page 14: Surviving a HIPAA Audit: Five Crucial Steps](https://reader034.vdocument.in/reader034/viewer/2022052409/545b9611b1af9f97118b4775/html5/thumbnails/14.jpg)
Step #1 – OrganizaOon IniIal document request period: 10 days from the postmarked audit leHer
Done by design: tesIng your response Ime
Following this step also allows you to assess your documentaIon gaps
Update old documents
Establishing an audit trail
![Page 15: Surviving a HIPAA Audit: Five Crucial Steps](https://reader034.vdocument.in/reader034/viewer/2022052409/545b9611b1af9f97118b4775/html5/thumbnails/15.jpg)
Quick Poll #2
![Page 16: Surviving a HIPAA Audit: Five Crucial Steps](https://reader034.vdocument.in/reader034/viewer/2022052409/545b9611b1af9f97118b4775/html5/thumbnails/16.jpg)
Step #2 – Security Risk Assessment The most important document you need for HIPAA compliance ◦ Stressed by OCR and the HIPAA Audit process ◦ Also has great pracIcal value – a risk assessment is foundaIonal to proper risk management
Does not have to be daunIng – scalable according to size
What you need to assess ◦ PotenIal risks and vulnerabiliIes to the confidenIality, integrity, and availability of ePHI
Other Ips
![Page 17: Surviving a HIPAA Audit: Five Crucial Steps](https://reader034.vdocument.in/reader034/viewer/2022052409/545b9611b1af9f97118b4775/html5/thumbnails/17.jpg)
Step #3 – Plugging the PHI Holes Risk management – comes on the heels of your risk assessment
Document everything ◦ Remember, the goal is to establish an audit trail
PrioriIze risk miIgaIon acIons
![Page 18: Surviving a HIPAA Audit: Five Crucial Steps](https://reader034.vdocument.in/reader034/viewer/2022052409/545b9611b1af9f97118b4775/html5/thumbnails/18.jpg)
Step #4 – Business Associate Agreements Update your BAA to reflect Omnibus changes ◦ The changes aren’t drasIc, but they need to be in there
Make sure all vendors are under an agreement ◦ BAA terms and complexity needed can vary from provider to provider ◦ Consult your aHorney if necessary
Get subcontractor assurances
Related – vendor management procedures
![Page 19: Surviving a HIPAA Audit: Five Crucial Steps](https://reader034.vdocument.in/reader034/viewer/2022052409/545b9611b1af9f97118b4775/html5/thumbnails/19.jpg)
Step #5 – Training Point of emphasis in the audits, so documentaIon is criIcal
Don’t limit yourself to HIPAA training ◦ Security awareness should be included as well
Use the training as an opportunity to gain informaIon
![Page 20: Surviving a HIPAA Audit: Five Crucial Steps](https://reader034.vdocument.in/reader034/viewer/2022052409/545b9611b1af9f97118b4775/html5/thumbnails/20.jpg)
Conclusions Audits signal a major change in enforcement
As worrisome as this might sound, this can be viewed as an opportunity
Risk assessment: the foundaIon
The more documentaIon, the beHer
![Page 21: Surviving a HIPAA Audit: Five Crucial Steps](https://reader034.vdocument.in/reader034/viewer/2022052409/545b9611b1af9f97118b4775/html5/thumbnails/21.jpg)
QuesOons
Richard Wagner
richard@qliqso`.com
![Page 22: Surviving a HIPAA Audit: Five Crucial Steps](https://reader034.vdocument.in/reader034/viewer/2022052409/545b9611b1af9f97118b4775/html5/thumbnails/22.jpg)
Free Demo and 60 Day Evaluation www.compliancy-‐group.com
855.85 HIPAA (855.854.4722)
The Guard:
One Simple, cost effective Compliance Tracking Solution that satisfies HIPAA, HITECH Risk Assessment, and Omnibus Compliance • Reduces Risk & Liability • Differentiates you from the competition • Retain Clients/Patients • Improve Revenue