Leading Your HIPAA Culture in 2016

Finished files are the re-sult of years of scientif-ic study combined with the experience of many years.

Lance KingVice President, SalesHealthcare Compliance SolutionsPhone (801) 947-0183 lking@hcsiinc.com

Whattoexpect

Lead Your Culture, Select Your Team, and Learn

✓ Create a Culture of Privacy, Security, and Safety✓ HIPAA Breach – Identifying a Breach, Exceptions to a

Breach✓ HIPAA Protections – Security Risk Analysis, Social Media✓ Compliance TrainingDocument Your Process, Your Findings, and

Actions✓ Documentation✓ Policies and Procedures✓ HIPAA Privacy & Security

Develop an Action Plan

✓ Audit Preparation

Mitigating Risk✓ Ongoing Training & Culture

Maintenance

Lead Your Culture

168 Hours In a Week

FUNSTAFF ACCOUNTING COMPLIANCEPATIENTS FRONT DESK

Healthcare Compliance (HIPAA, OSHA…)

Insurance

HR

Accounting

Front Desk

Patient Care

Staff Training

PHI

Day 1 Day 10 Day 30/90 Dependent on Completion of Fieldwork

AUDIT TIMELINE

5 COMMON CIRCUMSTANCES FOR AN AUDIT

1. Disgruntled ex-employee2. A self-reported breach3. Employee activists4. Patient’s fear of breach5. Random OCR visit

1)

2)

3)

1)

2)

3)

1)

2)

3)

CREATE A CULTURE OF PRIVACY & SECURITY

• Communicate• Guide• Remind

IDENTIFYING A BREACH

1. Nature and extent of the PHI involved2. The unauthorized person who used the PHI, or to whom it

was disclosed3. Whether the PHI was actually viewed or acquired4. The extent to which the risk to protect the PHI has been

mitigated

“…unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors”:

HIPAA BREACH• Does your staff know who to

go to for leadership when there is a HIPAA breach?

• Does your designated HIPAA compliance officer know all of the necessary steps to take in breach notification?

• Does your HIPAA compliance officer know where to receive guidance?

3EXCEPTIONS TO A BREACH

1.Unintentional2.Inadvertent 3.Good faith

3 Exceptions to the definition of “breach”

HIPAA PROTECTIONS• Ensure privacy• Give patients more access • Establish safeguards • Hold violators accountable• Strike a balance• Enable patients• Limit release of information• Give patients the right to examine and obtain a copy• Empower individuals to control certain uses and disclosures

Key Components of the HIPAA Privacy Rule:

HIPAA RISK PROTECTIONS• Physical, Technical, and Administrative measures

• Internal and External Security threats

• Assessment of and preparations for security risks

7 STEPS TO HIPAA COMPLIANCE1.Understand the rules 2.Assign Responsibility 3.List your PHI systems4.Conduct a Risk Analysis 5.Implement Policies and Procedures 6.Training program 7.Ongoing HIPAA progress and compliance

SECURITY RISK

• Identify where PHI exists• Identify potential threats and

vulnerabilities to PHI • Identify risks and their associated

levels of high, medium, or low

• Educate staff about process• Make security a high priority • Have an action plan • Involve your EHR developer • Specific to your practice

TIPS FOR A BETTER SECURITY RISK ANALYSIS

10 HIPAA SECURITY TIPS1. Have A Written Security Policy2. Encrypt Everything3. Protect Your Website4. Data Backups5. Avoid Consumer Grade6. Know Your Risks7. Plan For BYOD8. Who Is Guarding The Sheep9. Physical Security Is Information Security10. Know When To Call For Help

SECURITY RISK PRECAUTIONS• Staff requests• Hard drives• Email• Server• Passwords• Monitoring office staff• Fire extinguishers• Viruses and malware

Low-Cost Highly Effective Safeguards:

SOCIAL MEDIA

• Access Controls• Personal • Connecting with patients• Patient waiver forms• Training

To ensure your office remains in HIPAA compliance, create policies such as:

COMPLIANCE TRAINING•Online• In-office •Outsourced

WORKFORCE EDUCATION & TRAINING

• Hired or contracted• Yearly retraining• Changes in policies or procedures• Changes in systems, location, or

infrastructure• Responding to breach or disclosure

Educate and train your staff:

Documentingthe Process, the

Findings & the Actions

DOCUMENTATION• Policies and procedures• Security Risk Analysis• Training materials, and certificates of

completion• Current Business Associate Agreements• EHR audit logs• Risk management action plan• Security incident and breach information

Examples of records to retain:

POLICIES AND PROCEDURES• Establish protocols• Training program • Instruct your workforce• Sanction policy for violations • Detail enforcement• Business Associates

Employee HIPAA Privacy & Security

• Name/ID badges• Quiet Communication• PHI access

Guidelines for employees:

Workstation HIPAA Privacy & Security

• Viewing PHI Documents• Disposing of PHI• Workstations• Protect user ID’s and passwords• Computers not in use

Guidelines for workstations:

Access HIPAA Privacy & Security

• Computer room access• PHI Back-ups• Limited office equipment • Unoccupied Office equipment

Guidelines for access:

Environmental HIPAA Privacy & Security

• Smoke detectors and fire extinguishers

• Computer equipment• Cyber security • Emergency Action plan

Guidelines for environment:

Developing an Action Plan

• All shapes and sizes • Across-the-board compliance• Document in advance

AUDIT PREPARATION

• Risk management plan • Policies and procedures• Business Associate agreements• PHI inventory• Mobile devices• Documentation• Compliance training records• Evidence of encryption capabilities

Some of the areas the OCR audits will cover include:

AUDIT PREPARATION

Mitigating Risk

ONGOING TRAINING & CULTURE MAINTENANCE

• Patient-provider relationship• Training on PHI safeguards• Easy reference of Policies and

Procedures• Addressing staff• Re-assessing job functions

SECURITY RISK

ANALYSIS

Options

Consultant

In-house

Online

_____________________________(-)(+)

What to Expect with HCSI1. Membership Website Portal2. Compliance Binders3. Ongoing Support

Training(New Employee & Retraining)

• HIPAA Privacy• HIPAA Security• OSHA• Medicare• Employment Law

Manuals

• Reference Guide• Compliance Plans• Certificate Binder

Consultation and Support

• Weekly and Monthly Updates• Quarterly Newsletter• Phone and E-mail Support• Quarterly Assessment

Customizable Forms• Notice of Privacy Practices• Business Associate Agreement• All HIPAA Privacy• All HIPAA Security• Gap/Risk Analysis• HIPAA HITECH Breach Notification• All OSHA• All Medicare• Employment Law• RAC• Posters

“Our HIPAA/OSHA compliance was a huge concern in our office, especially after one of our employees filed a complaint with OSHA.

We started using HCSI 4 years ago and couldn't be happier with the program.

It's simple to set up and easier to use. Do yourself a favor and sign up, it will make your life easier!”

-Dr. Kody Krause, DDSComfort Dental Thompson Valley, CO

Customer Testimonial

“HCSI kept my fanny out of the hoosekow with a cranky (bit weirdo/psycho) patient who thought we had been naughty in multiple ways.

Our association with you all made the difference. We passed the inspection with flying colors and OCR told the "patient" to bug off!! Loved It!”

-Lee Mecham Thrall, Clinic AdministratorOld Farm Obstetrics & Gynecology, L.L.C

Customer Testimonial

30 Day Money Back Guarantee!

Price Breakdown

• Compliance Officer Training ($250)• Employee Training ($500)• Risk Analysis ($250)• Customized Compliance Plans ($1250)• Customizable Forms ($100)• Posters ($100)• Compliance Updates: E-mail & Newsletters ($50)• Phone & E-mail Support ($500)

$3500 Value

HCSIINC.COM

Early Bird Discount: $200 OFF

Compliance Officer Training

“Compliance Officer”

Customized Policies & Procedures

Quarterly Assessment Support Calls

Lance KingVice President, SalesHealthcare Compliance SolutionsPhone (801) 947-0183 lking@hcsiinc.com

Leading Your HIPAA Culture in 2016