how to become hipaa compliant, increase revenue, and gain · 2019-09-25 · are you a business...
Post on 26-Jun-2020
4 Views
Preview:
TRANSCRIPT
1 Copyright 2007-2015
Business Associates: ���How to become HIPAA
compliant, increase ��� revenue, and gain ���
new clients ���
2 Copyright 2007-2015
Federal Regulations § HIPAA: Health Insurance and Portability Accountability
Act of 1996 • Purpose: to protect confidential information through
improved security and privacy standards
§ HITECH: The Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009
§ Omnibus Rule of 2013
3 Copyright 2007-2015
Entities Defined § Covered Entity (CE): Health care providers, health plans,
health care clearinghouses who electronically transmit any Protected Health Information (PHI)
§ Business Associate (BA): Create, receive, maintain or transmit PHI on behalf of a Covered Entity (CE)
§ Subcontractor: Create, receive, maintain or transmit PHI on behalf of a BA
4 Copyright 2007-2015
Are You A Business Associate? Examples: § IT Support and Software Vendors § IT Equipment Vendors § Leasing firms § Telephone CPE Vendors § Shredding Vendors § Data Centers § Cloud Computing Providers § Answering Services for Medical Offices § Medical Billing Services § Medical Transcriptions Services § Medical Collection Agencies § Temporary Employment Agencies
5 Copyright 2007-2015
Omnibus Rule § Substantially increased the magnitude of HIPAA
enforcement risk and liability § Before Omnibus: BAs/Subcontractors regulated through
Business Associate Agreements (BAAs) § After Omnibus: BAs/Subcontractors are now regulated
directly under HIPAA: • Comply with HIPAA Security Rule • Comply with a specific section of the HITECH Breach
Notification Rule • Comply with all applicable provisions of the Privacy Rule • Still need to provide BAA
6 Copyright 2007-2015
Business Associate Agreement Agreement between the CE and BA to govern the BA’s creation, use, maintenance and disclosure of PHI. § Must comply with HIPAA Security and Privacy Rules § BAAs have ALWAYS been required by HIPAA § After Omnibus – Require reciprocal monitoring by the BA & CE § Subcontractors of BAs are treated as BAs as well
7 Copyright 2007-2015
Your Liabilities Business associates are directly liable for: 1. Impermissible uses and disclosures 2. Failure to provide breach notification to the CE 3. Failure to provide access to a copy of ePHI to either the
CE the individual, or the individual’s designee 4. Failure to disclose PHI where required by the HHS to
investigate or determine the BA’s HIPAA compliance 5. Failure to follow Minimum Necessary standard when
using or disclosing 6. Failure to provide an accounting of disclosures
8 Copyright 2007-2015
Penalties For Non-Compliance
Viola&on Category Sec&on 1176(a)(1)
Each Viola&on All such viola&ons of an iden&cal provision in a
calendar year
(A) Did Not Know $100 to Max $50,000 $1,500,000
(B) Reasonable Cause $1,000 to Max $50,000 $1,500,000
(C)(i) Willful Neglect-‐Corrected
$10,000 to Max $50,000 $1,500,000
(C)(ii) Willful Neglect-‐Not Corrected
$50,000 $1,500,000
Before Omnibus: No more than $100 per violation or $25,000 for all identical violations After Omnibus: Violations é, no more “Did Not Know” defense
9 Copyright 2007-2015
Willful Neglect § NO plan to show you are working towards FULL compliance
despite not being compliant at the moment. § NO visible demonstrable evidence that you are either in
compliance or making a serious attempt at compliance § You have legal documents but they do not meet the specific
requirements of the regulations § You have are legal documents/manuals but NO policies and
procedures to support said documents
10 Copyright 2007-2015
What You NEED To Do Your Compliance Requirements as a Business Associate:
1) Security Management § Risk assessment, Risk management
2) Assigned Security Responsibility 3) Information Access Management 4) Workforce Security 5) Employee Training 6) Security Incident Plan 7) Contingency Plan 8) Evaluation – Annual/periodic evaluation
11 Copyright 2007-2015
Compliance Plan Step 1. Assess where you are against the regulation (GAP)
• The key to a risk analysis is auditing yourself against the administrative, technical, and physical aspects of HIPAA
Step 2. Remediation Plan • Prove that you remediated the deficiencies identified in
the risk analysis • Policies & Procedures, Training, and Attestation
12 Copyright 2007-2015
Compliance Plan (Continued) Step 3. How do you prove it? Successful compliance plans address: • Administration and Technical
§ Policies and Procedures • IT security
§ Devices installed and maintained within your organization • Physical
§ Security within physical locations of your practice(s) Step 4. Maintain your compliance • As the regulations, staff, and practice changes
13 Copyright 2007-2015
14 Copyright 2007-2015
To Be, Or Not To Be… § Protect you and your clients’ reputations § Limit your liabilities
• Protect PHI § Differentiate your company
• Retain Clients • Obtain New Clients
This is a Federal Mandate
15 Copyright 2007-2015
Health Care Industry
$44 Billion
Incentive Dollars Paid
3-5 Million
CE’S & BA’S
70-79% Are NOT
Compliant
§ Heavy Enforcement § In the News § Reputation vs. Fines
16 Copyright 2007-2015
No
np
rofit
(A
lask
a)
Pha
rma
cy
(Co
lora
do
)
Ho
spita
l (T
exa
s)
An
the
m
§ Indiana Dentist – License Permanently Revoked for “Mishandling medical records”
§ Denver Pharmacy – “ failed to provide training as required by the Privacy Rule.”
§ Alaskan Nonprofit – “policies and procedures were not followed and/or updated.”
§ Wellpoint Inc. – $1.7 Million settlement caused by a BA performing software upgrade
Trends in HIPAA Enforcement D
en
tist
(Ind
ian
a)
17 Copyright 2007-2015
A Risk Assessment is only a part of HIPAA compliance. ALL aspects of HIPAA are needed to pass an audit.
• 70% of Covered Entities are not compliant • 79% of Covered Entities fail their Meaningful Use audit
CEs fail to understand the difference between HIPAA and HITECH.
The Big Misconception “I completed a Risk Assessment, I’m HIPAA Compliant.”
1: CMS Compliance Reviews, “HIPAA Compliance Review Analysis and Summary of Results” 2: hQp://www.healthcare-‐informaTcs.com/arTcle/ocr-‐audits-‐forewarned-‐forearmed
“Problems were discovered with most or all CE’s policies and procedures including those for performing Risk Assessments”1
“89% of the entities audited were non-compliant in one or more areas. Security Rule issues accounted for 60% of the findings and observations, while the Privacy and Breach Notification Rules yielded 30% and 10% respectively”2
18 Copyright 2007-2015
*: Stats compiled from 2015 Webinar “A Risk Assessment is Not Enough.”
19 Copyright 2007-2015
Partnership Program § Best solution in the market
• Designed by Auditors for HIPAA, PCI & GLB • Culture of Compliance for the end user • TOTAL compliance solution • Compliance Coaching
§ Sales & Marketing Support § Flexible options for New Revenue
Streams • Affiliate Referral • Reseller
20 Copyright 2007-2015
For more information, contact:
Sales & Demo Scheduling Questions
Marc Haskelson 855.854.4722 ext 507
marc@compliancygroup.com
HIPAA Questions Bob Grant
855.854.4722 ext 502 bob@compliancygroup.com
21 Copyright 2007-2015
www.compliancy-group.com 855.85 HIPAA (855.854.4722)
HIPAA Compliant
Audits Security,
Administrative, Privacy
Remediation Planning
Policies, Procedures & Training
Business Associate
Management Document
Version Employee
Attestation & Tracking
Incident Management
Illustrate Seal of Compliance
Maintain HIPAA Hotline
Achieve Compliance Coaching
Compliance Simplified
Find out more now:
The Total Compliance Solution The Guard
u All aspects of compliance satisfied
u Compliance simplified!
u Compliance Coach walks the client through the whole journey
u No client has ever failed an audit!
22 Copyright 2007-2015
top related