diagnosing hipaa compliance

Patient no: X89563

Diagnosing

HIPAACompliance

Key HIPAA Milesto

nes

• August 1996

: HIPAA enacte

d

• December 200

0: Privacy Rul

e

published

• February 20

03: Security R

ule

issued

• February 200

9: HITECH Act

passed

• March 26, 20

13: HIPAA fina

l

omnibus rule e

ffective

• September 23

, 2013: HIPAA

audits start

HHS Office for Civil Rights Director Leon Rodriguez said, “This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented.”

Who does this affect?

Why the need for HIPAA compliance?

In the last 3 years

records were impacted by

3 parts of HIPAA compliance:

Privacy Rule26%

Security Rule65%

Breach Notif.Rule9%

Administrative Safeguards

42%

PhysicalSafeguards

18%

Technical Safeguards

40%

Audit Violations within HIPAA Security Rule

What is the impact of a violation or compromise?

Getting started on your HIPAA compliance

Evaluate the likelihood and impact of potential risks to ePHI, implement appropriate security measures, document chosen security measures, and maintain appropriate security protections.

The Office of the National Coordinator for Health Information Technology has stated

“doing a thorough and professional risk analysis that will stand up to a compliance

review will require expert knowledge

that could be obtained through

services of an experienced

outside professional.”

Need help getting started?SecurityMetrics HIPAA Focus helps you with every step of compliance, from risk identification to audit preparation.

For more information or to get started on your HIPAA compliance call 801.995.6801.

www.securitymetrics.com/hipaa

What is a covered entity? Health plans, health care

clearinghouses and health care providers who

electronically transmit any health information.

• Revise Business Associate Agreements• Implement Business Associate HIPAA compliance program

Damaged trust

Fines up to$50,000 per day

for each violationLoss of

revenuecu

stomersLoss of

publicity

Negative

Resolution Agreement: A contract signed by HHS and a covered entity in which the covered entity agrees to per-form certain obligations, which may in-clude fine payment. These agreements are reserved to settle infractions from HIPAA investigations and/or breaches.

Total of $14,883,345

in Resolution Agreements since 2008

“These changes [om-nibus rule] not only greatly

enhance a patient’s privacy rights and protections, but also strengthen

enforce the HIPAA privacy and secu-rity protections.”

-Leon Rodriguez, HHS

The Office of Civil Rights performed test audits to assess the overall HIPAA compliance efforts of covered entities.

Who is a business associate? A person or entity that

performs certain functions or activities that involve the use

or disclosure of protected health information on behalf of, or provides services to, a

covered entity.

That’s more than the populations of New York City, Los Angeles, Chicago, Houston,

Denver, and Seattle combined.

Dr. HHS Audit

• http://www.hhs.gov/news/press/2013pres/01/20130117b.html• http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html• http://csrc.nist.gov/news_events/hiipaa_june2012/day2/day2-2_lsanches_ocr-audit.pdf• http://healthitsecurity.com/2013/03/12/ocr-talks-hipaa-breach-notification-at-himss13/