Embed Size (px)
Citation preview
855.85HIPAA www.compliancygroup.com
Industry leading Education
Certified Partner Program
• Please ask questions • For todays Slides http://compliancy-group.com/slides023/ • Todays & Past webinars go to: http://compliancy-group.com/webinar/
Get Involved.
#cgwebinar
Surviving a HIPAA Audit: Five Crucial Steps RICHARD WAGNER
Quick Poll #1
Quick Takeaway The HIPAA Audit program sounds scary
Challenge – think of this as an opportunity ◦ IT/Security/Compliance: voice can be heard ◦ Providers: beHer serve your paIents in an increasingly unsecure environment
Overall theme: tackle the priority items, then move onto the other issues
Agenda HIPAA Audit Program Overview
Pilot Program Results and Discussion
Five Steps to Surviving an Audit
QuesIons
The HIPAA Audit Program Enacted into law in 2009 (ARRA/HITECH) Designed to combat ex post enforcement
HHS’ Office of Civil Rights (OCR) oversees program, but most work contracted out to consultants
Two pilot programs (2012 and 2013)
Permanent rollout in 2014
Pilot: 2012-‐2013 Caveat: designed/implemented before Omnibus Rule ◦ Covered EnIIes only, no Business Associates ◦ Used old breach analysis, etc.
OCR findings ◦ Many issues, even intenIonal misrepresentaIons ◦ Small providers had the most difficulty ◦ Security flaws dominated findings
Pilot Findings
Privacy Rule Findings
Security Rule Problems
Points of Emphasis: Privacy Rule Policies and procedures Minimum Use
Points of Emphasis: Security Rule Risk assessment, risk assessment, and risk assessment
Mobile device security ◦ Data in moIon ◦ Data at rest
Security incident procedures ◦ Ever more important a`er HIPAA Omnibus RegulaIons went into effect
HIPAA Audit Survival THE FIVE STEPS
Step #1 – OrganizaOon IniIal document request period: 10 days from the postmarked audit leHer
Done by design: tesIng your response Ime
Following this step also allows you to assess your documentaIon gaps
Update old documents
Establishing an audit trail
Quick Poll #2
Step #2 – Security Risk Assessment The most important document you need for HIPAA compliance ◦ Stressed by OCR and the HIPAA Audit process ◦ Also has great pracIcal value – a risk assessment is foundaIonal to proper risk management
Does not have to be daunIng – scalable according to size
What you need to assess ◦ PotenIal risks and vulnerabiliIes to the confidenIality, integrity, and availability of ePHI
Other Ips
Step #3 – Plugging the PHI Holes Risk management – comes on the heels of your risk assessment
Document everything ◦ Remember, the goal is to establish an audit trail
PrioriIze risk miIgaIon acIons
Step #4 – Business Associate Agreements Update your BAA to reflect Omnibus changes ◦ The changes aren’t drasIc, but they need to be in there
Make sure all vendors are under an agreement ◦ BAA terms and complexity needed can vary from provider to provider ◦ Consult your aHorney if necessary
Get subcontractor assurances
Related – vendor management procedures
Step #5 – Training Point of emphasis in the audits, so documentaIon is criIcal
Don’t limit yourself to HIPAA training ◦ Security awareness should be included as well
Use the training as an opportunity to gain informaIon
Conclusions Audits signal a major change in enforcement
As worrisome as this might sound, this can be viewed as an opportunity
Risk assessment: the foundaIon
The more documentaIon, the beHer
QuesOons
Richard Wagner
richard@qliqso`.com
Free Demo and 60 Day Evaluation www.compliancy-‐group.com
855.85 HIPAA (855.854.4722)
The Guard:
One Simple, cost effective Compliance Tracking Solution that satisfies HIPAA, HITECH Risk Assessment, and Omnibus Compliance • Reduces Risk & Liability • Differentiates you from the competition • Retain Clients/Patients • Improve Revenue
