surviving a hipaa audit: what you need to know now so you ...€¦ · 2015 hipaa audits •delayed...
TRANSCRIPT
![Page 1: Surviving a HIPAA Audit: What you need to know NOW So you ...€¦ · 2015 HIPAA Audits •Delayed •550-800 ... How to survive an audit –Rule #2 Documentation! How to document](https://reader034.vdocument.in/reader034/viewer/2022051916/6007b7a50e297869b852d1c4/html5/thumbnails/1.jpg)
Surviving a HIPAA Audit:What you need to know NOW
So you can cope THEN
Jonathan Krasnerwww.beinetworks.com
www.hipaasecurenow.com
![Page 2: Surviving a HIPAA Audit: What you need to know NOW So you ...€¦ · 2015 HIPAA Audits •Delayed •550-800 ... How to survive an audit –Rule #2 Documentation! How to document](https://reader034.vdocument.in/reader034/viewer/2022051916/6007b7a50e297869b852d1c4/html5/thumbnails/2.jpg)
Meaningful Use Incentives
EHR / Technology Implementations
30+ Million Patient Records Breached
Increased HIPAA Enforcement
Healthcare IT Landscape
Government Incentives
Regulation Enforcement
Technology Advances
![Page 3: Surviving a HIPAA Audit: What you need to know NOW So you ...€¦ · 2015 HIPAA Audits •Delayed •550-800 ... How to survive an audit –Rule #2 Documentation! How to document](https://reader034.vdocument.in/reader034/viewer/2022051916/6007b7a50e297869b852d1c4/html5/thumbnails/3.jpg)
HIPAA Violations• Over 1200 HIPAA violations of 500+ records since
2009• Violations occur for organizations of all sizes• Violations occur for lots of different reasons• Violations are increasing in size and scope
The complete list can be found at:https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
HOUSTON, WE HAVE A PROBLEM
![Page 4: Surviving a HIPAA Audit: What you need to know NOW So you ...€¦ · 2015 HIPAA Audits •Delayed •550-800 ... How to survive an audit –Rule #2 Documentation! How to document](https://reader034.vdocument.in/reader034/viewer/2022051916/6007b7a50e297869b852d1c4/html5/thumbnails/4.jpg)
2015 HIPAA Audits
• Delayed• 550-800 Covered Entities (CE) Contacted
• 350 Covered Entities Selected• 50 Business Associates (BA) – Phase 2
• Utilize HHS / OCR Portal to Upload Information• Letters Will Be Sent to CEs• 2 Weeks to Respond / Upload Information• Size, Location, Services, Other Information, BA
• Desk Audits and Onsite Audits
• Unlike Previous Audits, Fines are Expected to be Handed Out
![Page 5: Surviving a HIPAA Audit: What you need to know NOW So you ...€¦ · 2015 HIPAA Audits •Delayed •550-800 ... How to survive an audit –Rule #2 Documentation! How to document](https://reader034.vdocument.in/reader034/viewer/2022051916/6007b7a50e297869b852d1c4/html5/thumbnails/5.jpg)
Meaningful Use Audits
Meaningful Use Audits Are Occurring
• Audits targeted at up to 20% (1 in 5) of eligible providers• Organizations can be audited either pre or post payment of
incentive funds• Failed audits may require an organization to repay a full year of
incentive payments• Incentive fund repayments average ~$10,000 per eligible provider• Failed audit for 1 year could trigger an audit in another year• Incentive payments must be repaid within 30 days of MU audit
failure notice
![Page 6: Surviving a HIPAA Audit: What you need to know NOW So you ...€¦ · 2015 HIPAA Audits •Delayed •550-800 ... How to survive an audit –Rule #2 Documentation! How to document](https://reader034.vdocument.in/reader034/viewer/2022051916/6007b7a50e297869b852d1c4/html5/thumbnails/6.jpg)
HIPAA Enforcement
HIPAA Regulations are enforced by HHS-OCR
Enforcement Activities
• 2015 Random Audit Program
• Breach Investigations
• Covered entities
• Business Associates
• Complaint Investigations
• Dissatisfied patients
• Disgruntled employees
![Page 7: Surviving a HIPAA Audit: What you need to know NOW So you ...€¦ · 2015 HIPAA Audits •Delayed •550-800 ... How to survive an audit –Rule #2 Documentation! How to document](https://reader034.vdocument.in/reader034/viewer/2022051916/6007b7a50e297869b852d1c4/html5/thumbnails/7.jpg)
Cost of Breaches
Ponemon 2013 Cost of Data Breach Study:
Estimate $233 per record
# of records Cost 1 $233
10 $2,330 100 $23,300
1000 $233,000 10000 $2,330,000
![Page 8: Surviving a HIPAA Audit: What you need to know NOW So you ...€¦ · 2015 HIPAA Audits •Delayed •550-800 ... How to survive an audit –Rule #2 Documentation! How to document](https://reader034.vdocument.in/reader034/viewer/2022051916/6007b7a50e297869b852d1c4/html5/thumbnails/8.jpg)
Cost of Breaches
Ponemon 2013 Cost of Data Breach Study:
Estimate $233 per recordIndirect Costs
1. Turnover of existing customers - Loss of customers / patients
2. Diminished customer acquisition - customers / patients not using a practice (Reputation is damaged)
Direct Costs
1. Detection and escalation costs - forensics investigative activities, crisis management activities
2. Notification costs - IT activities to create contact database, determination of regulatory requirements, postage, etc.
3. Post data breach costs - help desk activities, inbound communications from customers, identity protection services, etc.
![Page 9: Surviving a HIPAA Audit: What you need to know NOW So you ...€¦ · 2015 HIPAA Audits •Delayed •550-800 ... How to survive an audit –Rule #2 Documentation! How to document](https://reader034.vdocument.in/reader034/viewer/2022051916/6007b7a50e297869b852d1c4/html5/thumbnails/9.jpg)
Cost of Breaches
Ponemon 2013 Cost of Data Breach Study:
Estimate $233 per record(Does not include HIPAA fines)
Damage to ReputationIndirect Costs
1. Turnover of existing customers - Loss of customers / patients
2. Diminished customer acquisition - customers / patients not using a practice
![Page 10: Surviving a HIPAA Audit: What you need to know NOW So you ...€¦ · 2015 HIPAA Audits •Delayed •550-800 ... How to survive an audit –Rule #2 Documentation! How to document](https://reader034.vdocument.in/reader034/viewer/2022051916/6007b7a50e297869b852d1c4/html5/thumbnails/10.jpg)
2012 Breaches – Categories
2012 Largest Breaches / Categories of HIPAA Breaches
1. Laptops and portable media – 40% of all breaches
2. Inappropriate access to patient information - 30% of all breaches
3. Email – Sending PHI unencrypted - 10% of all breaches
4. Hacking – 10% of all breaches
5. Loss of backup tapes - 10% of all breaches
![Page 11: Surviving a HIPAA Audit: What you need to know NOW So you ...€¦ · 2015 HIPAA Audits •Delayed •550-800 ... How to survive an audit –Rule #2 Documentation! How to document](https://reader034.vdocument.in/reader034/viewer/2022051916/6007b7a50e297869b852d1c4/html5/thumbnails/11.jpg)
Audit
An audit is the systematic examination of books, documents and other information of an
organization to ascertain whether they present a true and fair view of the subject matter. Audits
provide third party assurance to various stakeholders that the subject matter is
free from material misstatement.
![Page 12: Surviving a HIPAA Audit: What you need to know NOW So you ...€¦ · 2015 HIPAA Audits •Delayed •550-800 ... How to survive an audit –Rule #2 Documentation! How to document](https://reader034.vdocument.in/reader034/viewer/2022051916/6007b7a50e297869b852d1c4/html5/thumbnails/12.jpg)
How to survive an audit – Rule #1
Be compliant!
![Page 13: Surviving a HIPAA Audit: What you need to know NOW So you ...€¦ · 2015 HIPAA Audits •Delayed •550-800 ... How to survive an audit –Rule #2 Documentation! How to document](https://reader034.vdocument.in/reader034/viewer/2022051916/6007b7a50e297869b852d1c4/html5/thumbnails/13.jpg)
To be compliant, you need to
• Appoint a privacy and security officer
• Perform an annual security risk assessment
– Remediate gaps
• Have written policies and procedures
• Provide annual training to ALL employees
NOTE: This list is not exhaustive, but these are the major areas to focus on
![Page 14: Surviving a HIPAA Audit: What you need to know NOW So you ...€¦ · 2015 HIPAA Audits •Delayed •550-800 ... How to survive an audit –Rule #2 Documentation! How to document](https://reader034.vdocument.in/reader034/viewer/2022051916/6007b7a50e297869b852d1c4/html5/thumbnails/14.jpg)
How to survive an audit – Rule #2
Documentation!
![Page 15: Surviving a HIPAA Audit: What you need to know NOW So you ...€¦ · 2015 HIPAA Audits •Delayed •550-800 ... How to survive an audit –Rule #2 Documentation! How to document](https://reader034.vdocument.in/reader034/viewer/2022051916/6007b7a50e297869b852d1c4/html5/thumbnails/15.jpg)
How to document
• Be organized
• All documentation in one place
Examples:
- Paper file
- File share
- Web portal
![Page 16: Surviving a HIPAA Audit: What you need to know NOW So you ...€¦ · 2015 HIPAA Audits •Delayed •550-800 ... How to survive an audit –Rule #2 Documentation! How to document](https://reader034.vdocument.in/reader034/viewer/2022051916/6007b7a50e297869b852d1c4/html5/thumbnails/16.jpg)
What to document
• Policies and procedures• Risk Assessment• Work plan• Training
– Consider testing
• Business Associate agreements– BA Compliance
• Disaster recovery plans• Media disposal log• Security incidents
![Page 17: Surviving a HIPAA Audit: What you need to know NOW So you ...€¦ · 2015 HIPAA Audits •Delayed •550-800 ... How to survive an audit –Rule #2 Documentation! How to document](https://reader034.vdocument.in/reader034/viewer/2022051916/6007b7a50e297869b852d1c4/html5/thumbnails/17.jpg)
HIPAA Compliance is an ongoing process
• It is not “set it and forget it”
• But it does not have to be time consuming
• The security officer needs to budget a little time periodically for HIPAA compliance
![Page 18: Surviving a HIPAA Audit: What you need to know NOW So you ...€¦ · 2015 HIPAA Audits •Delayed •550-800 ... How to survive an audit –Rule #2 Documentation! How to document](https://reader034.vdocument.in/reader034/viewer/2022051916/6007b7a50e297869b852d1c4/html5/thumbnails/18.jpg)
HIPAA Compliance don’ts
• Don’t confuse having documentation with having good documentation
• Don’t buy a set of manuals on the Internet and think you are done
• Don’t perform a risk analysis via spreadsheet in 15 minutes
=> Auditors are looking for substance
![Page 19: Surviving a HIPAA Audit: What you need to know NOW So you ...€¦ · 2015 HIPAA Audits •Delayed •550-800 ... How to survive an audit –Rule #2 Documentation! How to document](https://reader034.vdocument.in/reader034/viewer/2022051916/6007b7a50e297869b852d1c4/html5/thumbnails/19.jpg)
What to expect when you are audited
• Most audits request documentation via mail
• You have 30 days to comply
• Don’t just blindly send all your documentation
– Review it first
– Consult a professional
• Compliance consultant
• Attorney
=> Don’t take it lightly
![Page 20: Surviving a HIPAA Audit: What you need to know NOW So you ...€¦ · 2015 HIPAA Audits •Delayed •550-800 ... How to survive an audit –Rule #2 Documentation! How to document](https://reader034.vdocument.in/reader034/viewer/2022051916/6007b7a50e297869b852d1c4/html5/thumbnails/20.jpg)
Audit Results
• Organizations with good documentation pass audits – HHS is not super picky. They are glad you have worked to comply
• If you have good documentation, but have suffered a breach, your penalties will be minimized
BUT……
![Page 21: Surviving a HIPAA Audit: What you need to know NOW So you ...€¦ · 2015 HIPAA Audits •Delayed •550-800 ... How to survive an audit –Rule #2 Documentation! How to document](https://reader034.vdocument.in/reader034/viewer/2022051916/6007b7a50e297869b852d1c4/html5/thumbnails/21.jpg)
Audit Results
If you have a breach (and yes, it can happen to you)
AND
Your documentation is bad, they can throw the book at you!
![Page 22: Surviving a HIPAA Audit: What you need to know NOW So you ...€¦ · 2015 HIPAA Audits •Delayed •550-800 ... How to survive an audit –Rule #2 Documentation! How to document](https://reader034.vdocument.in/reader034/viewer/2022051916/6007b7a50e297869b852d1c4/html5/thumbnails/22.jpg)
We’re here to help
• MCMS endorsed HIPAA compliance program
• 2,000 clients nationwide
• Have passed 50 CMS audits; no fails
• See BEI website (beinetworks.com) for details