Upload
kennedy-dowers
View
213
Download
0
Tags:
Embed Size (px)
Citation preview
Forming Your HIPAA Compliance Plan
PRESENTED BY
Daniel B. Brown, Esq.Healthcare Attorney
Taylor English Duma LLP
Jason KarnDirector Training and ITTotal HIPAA Compliance
Today’s Presenters
This program is educational and does not constitute, and may not be construed as, legal advice to, or creating an attorney-client relationship with, any person or entity.
Housekeeping
The materials referenced here are subject to change, so frequent review of the source material is suggested.
3
A compendium of your organization’s
Policies and Procedures describing your
Privacy and Security obligations over your
Protected Health Information.
What is a HIPAA Compliance Plan?
4
What is a HIPAA Compliance Plan?
The purpose of your plan is to…
• Provide evidence of your organization’s compliance
with HIPAA’s Privacy and Security Regulations
• Serve as a blueprint for getting your organization into
compliance
5
What is a HIPAA Compliance Plan?
Am I required to have a plan? The answer is YES.
HIPAA requires Covered Entities to maintain all of the Privacy Policies and Procedures required by Federal Regulations. (45 CFR 164.530)
Privacy
SecurityHIPAA requires Covered Entities to implement Polices and Procedures to prevent, detect, contain and correct security violations as to PHI in electronic form. (45 CFR 164.308)
6
What is a HIPAA Compliance Plan?
What’s the risk of not having or using a plan?
The Office of Civil Rights of the US Dept. of Health and Human Services and State Attorney Generals have the power to sanction, fine or impose criminal sanctions on Covered Entities failing to comply with HIPAA regulations.
7
Violators BIG and Small
Mass Eye and Ear Infirmary Settled a HIPAA Violation Case by
paying $1.5 million.
• OCR cited the hospital for failure to adopt HIPAA-required policies and
procedures
In 2012, a five-physician cardiac practice in Arizona paid
$100,000 for violating HIPAA. The practice posted appointment
schedules on a publicly-accessible calendar
• OCR noted that the Practice had implemented few of the policies and
procedures required by HIPAA.8
On the Horizon
In addition, physician practices and others now face Common Law Tort (Negligence) Liability for failure to comply with HIPAA
• Bryn v. Avery Center for Obstetrics, 2014 Conn., Lexis 386
• Walgreen Co. v. Abigail Hichy, Ind. Ct. App. (2014)
9
@nuemd @totalhipaa+
What’s in a HIPAA Compliance Plan?
10
• Privacy and Security Policies and Procedures
• Privacy and Security Personnel
• Workforce Training and Management
• Data Safeguards
• Complaint Mechanism
• Retaliation and Waiver
• Document and Record Retention (among others)
Who Are The Players?
Covered Entities
Business Associates
Business Associate Subcontractors
11
@nuemd @totalhipaa+
1. Choosing Privacy and Security Officers
2. Performing a Risk Assessment
3. Creating Privacy & Security Policies/Procedures
4. Business Associate Agreements
5. Training Employees
Steps for Forming Your Compliance Plan
12
@nuemd @totalhipaa+
• An officer within company
• Can sanction employees for non-compliance
• One person could fill both positions
• Requires strong organizational skills
Without Privacy and Security Officers, your practice/company is not HIPAA Compliant!
1. Choosing Privacy and Security Officers
13
Privacy Officer Responsibilities
• Adopts and enforces appropriate policies to comply with HIPAA
• Oversees enforcement of employee and patient Privacy Rights
• Posts the organization’s current Notice of Privacy Practices
• Sends and updates Business Associate Agreements as needed
• Ensures all staff is trained on HIPAA Privacy Policies/Procedures
14
Security Officer Responsibilities
• Oversees the Security of ePHI during Transit, Rest, and Storage
• Identifies potential threats to confidentiality/availability of ePHI
• Responds to actual or suspected Breaches of ePHI
• Consults with the Privacy Officer before hiring outside vendors
• Coordinates periodic Security audits of all computers/networks
• Works closely with HHS if there is an audit
• Ensures all staff is trained on HIPAA Security Policies/Procedures
15
Do It Yourself Hire an Outside Firm
2. Performing a Risk Assessment
16
Performing Your Own Risk Assessment
• Utilize a Risk Assessment tool
• Be thorough
• Conduct annually
In addition to annual assessments, you need to revisit your assessment whenever there is:
- Security Breach - Theft - Change in hardware/software
17
3. Creating Privacy & Security Policies/Procedures
• Create two documents using your Risk Assessment as a guide
• Spell out how you will protect your patients’ and/or employees’ PHI
Use a template, or your legal counsel can help you create these documents
18
@nuemd @totalhipaa+
4. Business Associate Agreements
Identify Your Business Associates/BA SubcontractorsThese are vendors who have access to your PHI
Review their compliance plansThe 2013 HIPAA Omnibus penalizes BA’s for BreachesTheir Breaches could become your BreachesReview the Subcontractors they use
Collect signed Business Associate Agreement Be sure this Agreement conforms to HIPAA’s requirementsBe wary of extra provisions that could compromise your
practice or business
19
@nuemd @totalhipaa+
5. Training Employees
Remember to train on your organization’s HIPAA Obligations, Policies, and Procedures:
How often do you require password changes?
What mobile devices are approved for use?
What are your sanction policies?
20
Special Thanks
Taylor English Duma LLP is a full-service law firm built from the ground up to provide highest-quality legal services for optimal value. The firm was founded in 2005 and its attorneys work each day to provide timely, creative and cost-effective counsel to help clients solve problems and achieve goals. Taylor English represents all types of clients—from Fortune 500 companies to start-ups to individuals.
21
Questions?