surviving a hipaa audit: five crucial steps

855.85HIPAA www.compliancygroup.com

Industry leading Education

Certified Partner Program

•  Please ask questions •  For todays Slides http://compliancy-group.com/slides023/ •  Todays & Past webinars go to: http://compliancy-group.com/webinar/

Get Involved.

#cgwebinar

Surviving a HIPAA Audit: Five Crucial Steps RICHARD WAGNER

Quick Poll #1

Quick Takeaway  The HIPAA Audit program sounds scary

 Challenge – think of this as an opportunity ◦  IT/Security/Compliance: voice can be heard ◦  Providers: beHer serve your paIents in an increasingly unsecure environment

 Overall theme: tackle the priority items, then move onto the other issues

Agenda HIPAA Audit Program Overview

Pilot Program Results and Discussion

Five Steps to Surviving an Audit

QuesIons

The HIPAA Audit Program  Enacted into law in 2009 (ARRA/HITECH)  Designed to combat ex post enforcement

 HHS’ Office of Civil Rights (OCR) oversees program, but most work contracted out to consultants

 Two pilot programs (2012 and 2013)

 Permanent rollout in 2014

Pilot: 2012-‐2013  Caveat: designed/implemented before Omnibus Rule ◦  Covered EnIIes only, no Business Associates ◦  Used old breach analysis, etc.

 OCR findings ◦  Many issues, even intenIonal misrepresentaIons ◦  Small providers had the most difficulty ◦  Security flaws dominated findings

Pilot Findings

Privacy Rule Findings

Security Rule Problems

Points of Emphasis: Privacy Rule  Policies and procedures  Minimum Use

Points of Emphasis: Security Rule  Risk assessment, risk assessment, and risk assessment

 Mobile device security ◦  Data in moIon ◦  Data at rest

 Security incident procedures ◦  Ever more important a`er HIPAA Omnibus RegulaIons went into effect

HIPAA Audit Survival THE FIVE STEPS

Step #1 – OrganizaOon  IniIal document request period: 10 days from the postmarked audit leHer

 Done by design: tesIng your response Ime

 Following this step also allows you to assess your documentaIon gaps

 Update old documents

 Establishing an audit trail

Quick Poll #2

Step #2 – Security Risk Assessment  The most important document you need for HIPAA compliance ◦  Stressed by OCR and the HIPAA Audit process ◦  Also has great pracIcal value – a risk assessment is foundaIonal to proper risk management

 Does not have to be daunIng – scalable according to size

 What you need to assess ◦  PotenIal risks and vulnerabiliIes to the confidenIality, integrity, and availability of ePHI

 Other Ips

Step #3 – Plugging the PHI Holes  Risk management – comes on the heels of your risk assessment

 Document everything ◦  Remember, the goal is to establish an audit trail

 PrioriIze risk miIgaIon acIons

Step #4 – Business Associate Agreements  Update your BAA to reflect Omnibus changes ◦  The changes aren’t drasIc, but they need to be in there

 Make sure all vendors are under an agreement ◦  BAA terms and complexity needed can vary from provider to provider ◦  Consult your aHorney if necessary

 Get subcontractor assurances

 Related – vendor management procedures

Step #5 – Training  Point of emphasis in the audits, so documentaIon is criIcal

 Don’t limit yourself to HIPAA training ◦  Security awareness should be included as well

 Use the training as an opportunity to gain informaIon

Conclusions  Audits signal a major change in enforcement

 As worrisome as this might sound, this can be viewed as an opportunity

 Risk assessment: the foundaIon

 The more documentaIon, the beHer

QuesOons

 Richard Wagner

 richard@qliqso`.com

Free Demo and 60 Day Evaluation www.compliancy-‐group.com

855.85 HIPAA (855.854.4722)

The Guard:

One Simple, cost effective Compliance Tracking Solution that satisfies HIPAA, HITECH Risk Assessment, and Omnibus Compliance •  Reduces Risk & Liability •  Differentiates you from the competition •  Retain Clients/Patients •  Improve Revenue

surviving a hipaa audit: five crucial steps

Health & Medicine

risk assessment

documentaion

opportunity

ocr

group

surviving

emphasis

points