Forming Your HIPAA Compliance Plan

PRESENTED BY

Daniel B. Brown, Esq.Healthcare Attorney

Taylor English Duma LLP

Jason KarnDirector Training and ITTotal HIPAA Compliance

Today’s Presenters

This program is educational and does not constitute, and may not be construed as, legal advice to, or creating an attorney-client relationship with, any person or entity.

Housekeeping

The materials referenced here are subject to change, so frequent review of the source material is suggested.

3

A compendium of your organization’s

Policies and Procedures describing your

Privacy and Security obligations over your

Protected Health Information.

What is a HIPAA Compliance Plan?

4

What is a HIPAA Compliance Plan?

The purpose of your plan is to…

• Provide evidence of your organization’s compliance

with HIPAA’s Privacy and Security Regulations

• Serve as a blueprint for getting your organization into

compliance

5

What is a HIPAA Compliance Plan?

Am I required to have a plan? The answer is YES.

HIPAA requires Covered Entities to maintain all of the Privacy Policies and Procedures required by Federal Regulations. (45 CFR 164.530)

Privacy

SecurityHIPAA requires Covered Entities to implement Polices and Procedures to prevent, detect, contain and correct security violations as to PHI in electronic form. (45 CFR 164.308)

6

What is a HIPAA Compliance Plan?

What’s the risk of not having or using a plan?

The Office of Civil Rights of the US Dept. of Health and Human Services and State Attorney Generals have the power to sanction, fine or impose criminal sanctions on Covered Entities failing to comply with HIPAA regulations.

7

Violators BIG and Small

Mass Eye and Ear Infirmary Settled a HIPAA Violation Case by

paying $1.5 million.

• OCR cited the hospital for failure to adopt HIPAA-required policies and

procedures

In 2012, a five-physician cardiac practice in Arizona paid

$100,000 for violating HIPAA. The practice posted appointment

schedules on a publicly-accessible calendar

• OCR noted that the Practice had implemented few of the policies and

procedures required by HIPAA.8

On the Horizon

In addition, physician practices and others now face Common Law Tort (Negligence) Liability for failure to comply with HIPAA

• Bryn v. Avery Center for Obstetrics, 2014 Conn., Lexis 386

• Walgreen Co. v. Abigail Hichy, Ind. Ct. App. (2014)

9

@nuemd @totalhipaa+

What’s in a HIPAA Compliance Plan?

10

• Privacy and Security Policies and Procedures

• Privacy and Security Personnel

• Workforce Training and Management

• Data Safeguards

• Complaint Mechanism

• Retaliation and Waiver

• Document and Record Retention (among others)

Who Are The Players?

Covered Entities

Business Associates

Business Associate Subcontractors

11

@nuemd @totalhipaa+

1. Choosing Privacy and Security Officers

2. Performing a Risk Assessment

3. Creating Privacy & Security Policies/Procedures

4. Business Associate Agreements

5. Training Employees

Steps for Forming Your Compliance Plan

12

@nuemd @totalhipaa+

• An officer within company

• Can sanction employees for non-compliance

• One person could fill both positions

• Requires strong organizational skills

Without Privacy and Security Officers, your practice/company is not HIPAA Compliant!

1. Choosing Privacy and Security Officers

13

Privacy Officer Responsibilities

• Adopts and enforces appropriate policies to comply with HIPAA

• Oversees enforcement of employee and patient Privacy Rights

• Posts the organization’s current Notice of Privacy Practices

• Sends and updates Business Associate Agreements as needed

• Ensures all staff is trained on HIPAA Privacy Policies/Procedures

14

Security Officer Responsibilities

• Oversees the Security of ePHI during Transit, Rest, and Storage

• Identifies potential threats to confidentiality/availability of ePHI

• Responds to actual or suspected Breaches of ePHI

• Consults with the Privacy Officer before hiring outside vendors

• Coordinates periodic Security audits of all computers/networks

• Works closely with HHS if there is an audit

• Ensures all staff is trained on HIPAA Security Policies/Procedures

15

Do It Yourself Hire an Outside Firm

2. Performing a Risk Assessment

16

Performing Your Own Risk Assessment

• Utilize a Risk Assessment tool

• Be thorough

• Conduct annually

In addition to annual assessments, you need to revisit your assessment whenever there is:

- Security Breach - Theft - Change in hardware/software

17

3. Creating Privacy & Security Policies/Procedures

• Create two documents using your Risk Assessment as a guide

• Spell out how you will protect your patients’ and/or employees’ PHI

Use a template, or your legal counsel can help you create these documents

18

@nuemd @totalhipaa+

4. Business Associate Agreements

Identify Your Business Associates/BA SubcontractorsThese are vendors who have access to your PHI

Review their compliance plansThe 2013 HIPAA Omnibus penalizes BA’s for BreachesTheir Breaches could become your BreachesReview the Subcontractors they use

Collect signed Business Associate Agreement Be sure this Agreement conforms to HIPAA’s requirementsBe wary of extra provisions that could compromise your

practice or business

19

@nuemd @totalhipaa+

5. Training Employees

Remember to train on your organization’s HIPAA Obligations, Policies, and Procedures:

How often do you require password changes?

What mobile devices are approved for use?

What are your sanction policies?

20

Special Thanks

Taylor English Duma LLP is a full-service law firm built from the ground up to provide highest-quality legal services for optimal value. The firm was founded in 2005 and its attorneys work each day to provide timely, creative and cost-effective counsel to help clients solve problems and achieve goals. Taylor English represents all types of clients—from Fortune 500 companies to start-ups to individuals.

21

Questions?