Upload
lance-king
View
120
Download
0
Embed Size (px)
Citation preview
Leading Your HIPAA Culture in 2016
Finished files are the re-sult of years of scientif-ic study combined with the experience of many years.
Lance KingVice President, SalesHealthcare Compliance SolutionsPhone (801) 947-0183 [email protected]
Whattoexpect
Lead Your Culture, Select Your Team, and Learn
✓ Create a Culture of Privacy, Security, and Safety✓ HIPAA Breach – Identifying a Breach, Exceptions to a
Breach✓ HIPAA Protections – Security Risk Analysis, Social Media✓ Compliance TrainingDocument Your Process, Your Findings, and
Actions✓ Documentation✓ Policies and Procedures✓ HIPAA Privacy & Security
Develop an Action Plan
✓ Audit Preparation
Mitigating Risk✓ Ongoing Training & Culture
Maintenance
Lead Your Culture
168 Hours In a Week
FUNSTAFF ACCOUNTING COMPLIANCEPATIENTS FRONT DESK
Healthcare Compliance (HIPAA, OSHA…)
Insurance
HR
Accounting
Front Desk
Patient Care
Staff Training
PHI
Day 1 Day 10 Day 30/90 Dependent on Completion of Fieldwork
AUDIT TIMELINE
5 COMMON CIRCUMSTANCES FOR AN AUDIT
1. Disgruntled ex-employee2. A self-reported breach3. Employee activists4. Patient’s fear of breach5. Random OCR visit
1)
2)
3)
1)
2)
3)
1)
2)
3)
CREATE A CULTURE OF PRIVACY & SECURITY
• Communicate• Guide• Remind
IDENTIFYING A BREACH
1. Nature and extent of the PHI involved2. The unauthorized person who used the PHI, or to whom it
was disclosed3. Whether the PHI was actually viewed or acquired4. The extent to which the risk to protect the PHI has been
mitigated
“…unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors”:
HIPAA BREACH• Does your staff know who to
go to for leadership when there is a HIPAA breach?
• Does your designated HIPAA compliance officer know all of the necessary steps to take in breach notification?
• Does your HIPAA compliance officer know where to receive guidance?
3EXCEPTIONS TO A BREACH
1.Unintentional2.Inadvertent 3.Good faith
3 Exceptions to the definition of “breach”
HIPAA PROTECTIONS• Ensure privacy• Give patients more access • Establish safeguards • Hold violators accountable• Strike a balance• Enable patients• Limit release of information• Give patients the right to examine and obtain a copy• Empower individuals to control certain uses and disclosures
Key Components of the HIPAA Privacy Rule:
HIPAA RISK PROTECTIONS• Physical, Technical, and Administrative measures
• Internal and External Security threats
• Assessment of and preparations for security risks
7 STEPS TO HIPAA COMPLIANCE1.Understand the rules 2.Assign Responsibility 3.List your PHI systems4.Conduct a Risk Analysis 5.Implement Policies and Procedures 6.Training program 7.Ongoing HIPAA progress and compliance
SECURITY RISK
• Identify where PHI exists• Identify potential threats and
vulnerabilities to PHI • Identify risks and their associated
levels of high, medium, or low
• Educate staff about process• Make security a high priority • Have an action plan • Involve your EHR developer • Specific to your practice
TIPS FOR A BETTER SECURITY RISK ANALYSIS
10 HIPAA SECURITY TIPS1. Have A Written Security Policy2. Encrypt Everything3. Protect Your Website4. Data Backups5. Avoid Consumer Grade6. Know Your Risks7. Plan For BYOD8. Who Is Guarding The Sheep9. Physical Security Is Information Security10. Know When To Call For Help
SECURITY RISK PRECAUTIONS• Staff requests• Hard drives• Email• Server• Passwords• Monitoring office staff• Fire extinguishers• Viruses and malware
Low-Cost Highly Effective Safeguards:
SOCIAL MEDIA
• Access Controls• Personal • Connecting with patients• Patient waiver forms• Training
To ensure your office remains in HIPAA compliance, create policies such as:
COMPLIANCE TRAINING•Online• In-office •Outsourced
WORKFORCE EDUCATION & TRAINING
• Hired or contracted• Yearly retraining• Changes in policies or procedures• Changes in systems, location, or
infrastructure• Responding to breach or disclosure
Educate and train your staff:
Documentingthe Process, the
Findings & the Actions
DOCUMENTATION• Policies and procedures• Security Risk Analysis• Training materials, and certificates of
completion• Current Business Associate Agreements• EHR audit logs• Risk management action plan• Security incident and breach information
Examples of records to retain:
POLICIES AND PROCEDURES• Establish protocols• Training program • Instruct your workforce• Sanction policy for violations • Detail enforcement• Business Associates
Employee HIPAA Privacy & Security
• Name/ID badges• Quiet Communication• PHI access
Guidelines for employees:
Workstation HIPAA Privacy & Security
• Viewing PHI Documents• Disposing of PHI• Workstations• Protect user ID’s and passwords• Computers not in use
Guidelines for workstations:
Access HIPAA Privacy & Security
• Computer room access• PHI Back-ups• Limited office equipment • Unoccupied Office equipment
Guidelines for access:
Environmental HIPAA Privacy & Security
• Smoke detectors and fire extinguishers
• Computer equipment• Cyber security • Emergency Action plan
Guidelines for environment:
Developing an Action Plan
• All shapes and sizes • Across-the-board compliance• Document in advance
AUDIT PREPARATION
• Risk management plan • Policies and procedures• Business Associate agreements• PHI inventory• Mobile devices• Documentation• Compliance training records• Evidence of encryption capabilities
Some of the areas the OCR audits will cover include:
AUDIT PREPARATION
Mitigating Risk
ONGOING TRAINING & CULTURE MAINTENANCE
• Patient-provider relationship• Training on PHI safeguards• Easy reference of Policies and
Procedures• Addressing staff• Re-assessing job functions
SECURITY RISK
ANALYSIS
Options
Consultant
In-house
Online
_____________________________(-)(+)
What to Expect with HCSI1. Membership Website Portal2. Compliance Binders3. Ongoing Support
Training(New Employee & Retraining)
• HIPAA Privacy• HIPAA Security• OSHA• Medicare• Employment Law
Manuals
• Reference Guide• Compliance Plans• Certificate Binder
Consultation and Support
• Weekly and Monthly Updates• Quarterly Newsletter• Phone and E-mail Support• Quarterly Assessment
Customizable Forms• Notice of Privacy Practices• Business Associate Agreement• All HIPAA Privacy• All HIPAA Security• Gap/Risk Analysis• HIPAA HITECH Breach Notification• All OSHA• All Medicare• Employment Law• RAC• Posters
“Our HIPAA/OSHA compliance was a huge concern in our office, especially after one of our employees filed a complaint with OSHA.
We started using HCSI 4 years ago and couldn't be happier with the program.
It's simple to set up and easier to use. Do yourself a favor and sign up, it will make your life easier!”
-Dr. Kody Krause, DDSComfort Dental Thompson Valley, CO
Customer Testimonial
“HCSI kept my fanny out of the hoosekow with a cranky (bit weirdo/psycho) patient who thought we had been naughty in multiple ways.
Our association with you all made the difference. We passed the inspection with flying colors and OCR told the "patient" to bug off!! Loved It!”
-Lee Mecham Thrall, Clinic AdministratorOld Farm Obstetrics & Gynecology, L.L.C
Customer Testimonial
30 Day Money Back Guarantee!
Price Breakdown
• Compliance Officer Training ($250)• Employee Training ($500)• Risk Analysis ($250)• Customized Compliance Plans ($1250)• Customizable Forms ($100)• Posters ($100)• Compliance Updates: E-mail & Newsletters ($50)• Phone & E-mail Support ($500)
$3500 Value
HCSIINC.COM
Early Bird Discount: $200 OFF
Compliance Officer Training
“Compliance Officer”
Customized Policies & Procedures
Quarterly Assessment Support Calls
Lance KingVice President, SalesHealthcare Compliance SolutionsPhone (801) 947-0183 [email protected]
Leading Your HIPAA Culture in 2016