why a risk assessment is not enough for hipaa compliance
Post on 12-Jul-2015
87 Views
Preview:
TRANSCRIPT
855 85 HIPAA www.compliancygroup.com
Industry leading Education
Certified Partner Program
For Today • Please ask and be prepared for questions! • Today’s slides: www.compliancy-group.com/slides023 • Upcoming & past webinars:
http://compliancy-group.com/webinar/
Get Involved
#cgwebinar
• How to increase your profit using patient payments on file, recurring and online bill pay • Tuesday, January 20th from 2:00 – 3:30 EST
Copyright 2007-2015 1
855 85 HIPAA www.compliancygroup.com
Copyright 2007-2015 2
855 85 HIPAA www.compliancygroup.com
79% of health care providers believe completing a risk assessment will satisfy Meaningful Use AND HIPAA compliance • FALSE !!!
A Common Misconception
Copyright 2007-2015 3
855 85 HIPAA www.compliancygroup.com
• Lose HITECH incentive payments • Return the HITECH money • HIPAA Fines/Penalties: • Up to $50,000/incident • $1.5 million max.
Why do you care?
Copyright 2007-2015 4
855 85 HIPAA www.compliancygroup.com
• Satisfy total set of regulations
• Beyond just a risk analysis
• To comply with HIPAA, you must continue to review, correct or modify, and update security protections
* http://www.govhealthit.com/news/steps-prep-phase-2-ocr-audits
OMNIBUS
“Pleading ignorance will not be a defense when OCR comes to call.”*
Copyright 2007-2015 5
855 85 HIPAA www.compliancygroup.com
• Health Insurance Portability and Accountability Act in 1996
• Provide national standards to protect privacy of PHI(Personal Health Information)
• Security, Breach Notification, and Safety Rules
HIPAA
Copyright 2007-2015 6
855 85 HIPAA www.compliancygroup.com
Administrative Audit
Physical Audit Security Audit
Copyright 2007-2015 7
855 85 HIPAA www.compliancygroup.com
CEs(Covered Entities) must prove that they are using a certified EHR(Electronic Heath Record) technology in a meaningful manner • Incentive payments • Providers required to demonstrate Meaningful Use
EVERY year
HITECH and Meaningful Use
Copyright 2007-2015 8
855 85 HIPAA www.compliancygroup.com
Meaningful Use
Copyright 2007-2015 9
855 85 HIPAA www.compliancygroup.com
“Conduct accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.”* • Required for each reporting period for BOTH
Meaningful Use Stages 1 and 2 • Steps: • Review existing security infrastructure • Identify potential threats to patient privacy and
security and assess the impact on your e-PHI • Prioritize risks based on impact severity
Meaningful Use Risk Assessment
*http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html
Copyright 2007-2015 10
855 85 HIPAA www.compliancygroup.com
Administrative Audit
Physical Audit Security Audit
Meaningful Use Risk Assessment
Copyright 2007-2015 11
855 85 HIPAA www.compliancygroup.com
Only 11% of Covered Entities passed the audit, 70% of Covered Entities are not compliant
(98%) health care providers audited had at least one negative finding • Most common cause: entity unaware of the requirements
Beginning in 2015 • 5% of providers with be audited • CMS will report failures to OCR(Office of Civil Rights) • Onsite audits will be much more comprehensive including both
Covered Entities and Business Associates
CMS Says
Copyright 2007-2015 12
855 85 HIPAA www.compliancygroup.com
Reporting on the compliance audits, CMS wrote • “CEs did not understand the key elements of an effective risk
assessment. CEs did not conduct a documented analysis… In some cases, although management had identified certain risks within the organization, no formally documented risk assessment covering e-PHI risks throughout the organization existed.”*
• Problems discovered with most or all CE’s policies and procedures including those for performing Risk Assessments
*CMS Compliance Reviews, “HIPAA Compliance Review Analysis and Summary of Results”
Is your Risk Assessment enough?
Copyright 2007-2015 13
855 85 HIPAA www.compliancygroup.com
Penalties
$100-$50,000 per incident up to
$1.5 Million
$1,000-$50,000 per incident up to
$1.5 Million
$10,000-$50,000 per incident up to
$1.5 Million
$50,000 per incident up to
$1.5 Million
Copyright 2007-2015 14
855 85 HIPAA www.compliancygroup.com
Step 1. Assess where you are against the regulation (GAP) • The key to a risk analysis is auditing yourself against
the administrative, technical, and physical aspects of HIPAA • A risk analysis will help you attest to Meaningful Use Stage 1 Core
Requirement 15
Step 2. Remediation Plan • Prove that you remediated the deficiencies identified in the risk
analysis • Policies & Procedures, Training, and Attestation
Beyond a Risk Analysis
Copyright 2007-2015 15
855 85 HIPAA www.compliancygroup.com
Step 3. How do you prove it? Successful compliance plans address: • Administration and Technical • Policies and Procedures
• IT security • Devices installed and maintained within your organization
• Physical • Security within physical locations of your practice(s)
(Meaningful Use Stage 2 Core Requirement 9 requires remediation of found deficiencies during the risk analysis to be documented and completed) Step 4. Maintain your compliance • As the regulations, staff, and practice changes
Copyright 2007-2015 16
855 85 HIPAA www.compliancygroup.com
Questions?
For more information, contact:
Sales & Demo Scheduling Questions
Marc Haskelson 855.854.4722 ext 507
marc@compliancygroup.com
HIPAA Questions Bob Grant
855.854.4722 ext 502 bob@compliancygroup.com
Copyright 2007-2015 17
855 85 HIPAA www.compliancygroup.com
Copyright 2007-2015 18
top related